Protocol Doesn't Seem to Block OR Log - Page 2

dmorris · 04-09-2009, 09:20 PM

Quote:

Originally Posted by datdamnmachine

Also, will it only log internal traffic going out the external interface or will it also log external traffic coming in the external and going out the internal?

It doesn't care about direction.

It just matches any traffic that matches the regex signature in the first 8 or 10 chunks of data.

datdamnmachine · 04-10-2009, 11:03 AM

Quote:

Originally Posted by dmorris

It doesn't care about direction.

It just matches any traffic that matches the regex signature in the first 8 or 10 chunks of data.

Well then I do know that RDP in both directions doesn't get logged.

255 · 04-18-2009, 06:13 PM

Have to be honest that I seem to have a similar issue with protocol logging. I only seem to be getting a selective few protocols that are logging.

Skathen · 05-18-2009, 11:41 PM

Mine is logging XP fine, Vista it just ignores, same rules apply to both sets of users.

datdamnmachine · 05-19-2009, 07:06 PM

Quote:

Originally Posted by Skathen

Mine is logging XP fine, Vista it just ignores, same rules apply to both sets of users.

On yours, are you using RDP over TLS? If that is the case then because the traffic is over TLS, it MIGHT not be detecting it. I'm no developer of the product but there could be an issue there.

Also, I am using the following version of RDP (or mstsc.exe for those who want to be extremely literal):

6.0.6001.18000

dmorris · 05-19-2009, 10:37 PM

I'd whip out wireshark and see if this matches it

http://l7-filter.sourceforge.net/lay...tocols/rdp.pat

it does say XP and 2000

lbgaus · 05-28-2009, 02:25 PM

Using Wireshark I was able to determine the correct signature that the new RDP client uses.

If you add an entry to the Protocol Filter containing the following signature:

rdpdr.*rdpsnd.*drdynvc.*cliprdr

it will begin blocking/logging RDP again.

dmorris · 07-02-2009, 08:38 AM

Quote:

Originally Posted by lbgaus

Using Wireshark I was able to determine the correct signature that the new RDP client uses.

If you add an entry to the Protocol Filter containing the following signature:

rdpdr.*rdpsnd.*drdynvc.*cliprdr

it will begin blocking/logging RDP again.

I missed this post.
Great info!

BucK · 09-20-2009, 06:55 AM

Quote:

Originally Posted by lbgaus

Using Wireshark I was able to determine the correct signature that the new RDP client uses.

If you add an entry to the Protocol Filter containing the following signature:

rdpdr.*rdpsnd.*drdynvc.*cliprdr

it will begin blocking/logging RDP again.

I'm running Build: 6.2.0~svn20090527r23446release6.2-1lenny and had to change the signature to this also - great information.

I had an incident recently where "Administrator" logged onto a computer via remote desktop (you betcha I've changed the password) but knowing the IP address that this came from would have been a great help tracking this down. At least now if he/she/it tries again I should be able to find out the origin.

Thanks!

Carolyn Steen · 10-22-2009, 07:25 AM

Did you ever get an answer to your problem with VNC not being blocked? My UT is not blocking VNC either. UT just updated to 7. I have tried completely reinstalling-- protocol control still not blocking VNC. Here's my system info: Summary:
UID: 0ea4-54e8-4b3a-1172
Build: 7.0.0~svn20090924r24591release7.0-1lenny

Java: 1.6.0_12

Can anyone help please?

04-18-2009, 06:13 PM	#13 (permalink)
255 Untanglit Join Date: Apr 2009 Location: Hamilton, New Zealand Posts: 16	Have to be honest that I seem to have a similar issue with protocol logging. I only seem to be getting a selective few protocols that are logging. __________________ Codeblue, New Zealand L1, 36 Bryce St Hamilton +64 7 9292200

05-19-2009, 10:37 PM	#16 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,613	I'd whip out wireshark and see if this matches it http://l7-filter.sourceforge.net/lay...tocols/rdp.pat it does say XP and 2000 __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

Protect

Filter

Perform

Connect

Manage

Add-Ons

05-18-2009, 11:41 PM	#14 (permalink)
Skathen Untangler Join Date: Jun 2008 Posts: 52	Mine is logging XP fine, Vista it just ignores, same rules apply to both sets of users.

05-28-2009, 02:25 PM	#17 (permalink)
lbgaus Newbie Join Date: May 2009 Posts: 8	Using Wireshark I was able to determine the correct signature that the new RDP client uses. If you add an entry to the Protocol Filter containing the following signature: rdpdr.rdpsnd.drdynvc.*cliprdr it will begin blocking/logging RDP again.

10-22-2009, 07:25 AM	#20 (permalink)
Carolyn Steen Newbie Join Date: Aug 2009 Posts: 3	Did you ever get an answer to your problem with VNC not being blocked? My UT is not blocking VNC either. UT just updated to 7. I have tried completely reinstalling-- protocol control still not blocking VNC. Here's my system info: Summary: UID: 0ea4-54e8-4b3a-1172 Build: 7.0.0~svn20090924r24591release7.0-1lenny Java: 1.6.0_12 Can anyone help please?