https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logic-for-RDP-Brute-Force-detection/m-p/47470#M58058 <A href="https://www.zdnet.com/article/brute-force-rdp-attacks-depend-on-your-mistakes/" target="_blank">https://www.zdnet.com/article/brute-force-rdp-attacks-depend-on-your-mistakes/</A><BR /><BR /><A href="https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/" target="_blank">https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/</A> Mon, 18 Mar 2019 14:52:31 GMT G_W_Albrecht 2019-03-18T14:52:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logic-for-RDP-Brute-Force-detection/m-p/10985#M58056 <HTML><HEAD></HEAD><BODY><P>As Check Point does not publish its rules/logic for signatures, I am looking for help understanding the RDP brute force login signature.</P><P></P><P>Endpoint logs would be the source of truth (audit logs). How is this being detected on the wire?&nbsp;</P><P></P><P>Edit: Here is the signature&nbsp;<A class="link-titled" href="https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0754.html" title="https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0754.html">CPAI-2017-0754 | Check Point Software</A>&nbsp;</P></BODY></HTML> Wed, 06 Mar 2019 18:50:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logic-for-RDP-Brute-Force-detection/m-p/10985#M58056 Justin_Hysler 2019-03-06T18:50:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logic-for-RDP-Brute-Force-detection/m-p/10986#M58057 <HTML><HEAD></HEAD><BODY><P>A client/server handshake for each attempt makes sense but past that point the connection is encrypted how is IPS checking if login is a success or fail? TCP flags?&nbsp;<BR /><BR />This has been a low fidelity signature, so any thoughts are appreciated.</P></BODY></HTML> Wed, 06 Mar 2019 18:52:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logic-for-RDP-Brute-Force-detection/m-p/10986#M58057 Justin_Hysler 2019-03-06T18:52:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logic-for-RDP-Brute-Force-detection/m-p/47470#M58058 <A href="https://www.zdnet.com/article/brute-force-rdp-attacks-depend-on-your-mistakes/" target="_blank">https://www.zdnet.com/article/brute-force-rdp-attacks-depend-on-your-mistakes/</A><BR /><BR /><A href="https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/" target="_blank">https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/</A> Mon, 18 Mar 2019 14:52:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logic-for-RDP-Brute-Force-detection/m-p/47470#M58058 G_W_Albrecht 2019-03-18T14:52:31Z