Wireshark: not host 10.20.30.24 and not port 3389

    !(ip.addr == 10.20.30.24)
    kerberos.ENCTYPE
    kerberos.ENCTYPE && (!kerberos.ENCTYPE ==16 && !kerberos.ENCTYPE ==15)
    frame.time >= "Mar  5, 2023 17:12:30.0" && frame.time <= "Mar  5, 2023 17:14:00.0"
    (frame.time >= "Mar  5, 2023 17:12:30.0" && frame.time <= "Mar  5, 2023 17:14:00.0") && (ip.addr == 10.20.62.4)
    (frame.time >= "Mar  5, 2023 17:12:30.0" && frame.time <= "Mar  5, 2023 17:13:45.0") && (ip.addr == 10.20.62.4) && (!tcp.port == 3389 && !udp.port ==3389)


Kerberos
# DNS Query
(dns) && (dns.flags.response == 0)
# Type - Host A
(dns.qry.type == 1)
# not Type - Host A -1, PTR=12
dns and !(dns.qry.type == 1)
# SRV 33
(dns) && (dns.qry.type == 33)

#Not resolved
dns.flags.rcode == 3
# No error
dns.flags.rcode == 0
# DNS SRV query with Response (Good or Nothing found)
((dns.qry.type == 33) && (dns.flags.response == 1))
# DNS SRV with no answers
((dns.qry.type == 33) && (dns.flags.response == 1)) && (dns.count.answers == 0)
# DNS response with answers
dns && !(dns.count.answers ==0)
#
dns.srv.name contains "ReleCloud.vVette.com"
dns.qry.name contains "_"
dns.qry.name contains "_ldap"
# contains
# matches
(kerberos) && (kerberos.CNameString == "var_melech")
(kerberos.crealm == "VVETTE.COM")
(kerberos.realm == "RELECLOUD.VVETTE.COM")
kerberos.padata_value

realm netbios if netbios\username or fqdn if username@fqdn ??

(ip.addr == 10.10.20.8 && kerberos) && (kerberos.SNameString contains "va-vva-dc-vm")

Leave a Comment