cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Logic for RDP Brute Force detection?

As Check Point does not publish its rules/logic for signatures, I am looking for help understanding the RDP brute force login signature.

Endpoint logs would be the source of truth (audit logs). How is this being detected on the wire? 

Edit: Here is the signature CPAI-2017-0754 | Check Point Software 

0 Kudos
2 Replies

Re: Logic for RDP Brute Force detection?

A client/server handshake for each attempt makes sense but past that point the connection is encrypted how is IPS checking if login is a success or fail? TCP flags? 

This has been a low fidelity signature, so any thoughts are appreciated.

0 Kudos