Rule:

--
Sid:
2044

--
Summary:
The Point to Point Tunneling Protocol (PPTP) is used to connect client machines to internal corporate resources using a Virtual Private Network (VPN) across a public network such as the Internet via an encrypted session.


--
Impact:
Possible loss of data from an internal network to an unknown external source.

--
Detailed Information:
This event indicates that a PPTP session from an unknown external source to an internal resource has been attempted. This may be an indication of an attempt to initialize an encrypted session for nefarious purposes.

A user may try to use an encrypted tunnel to evade possible detection when transferring files from an internal resource to an unauthorized external party. It may also be the result of a machine compromise where an internal resource is now controlled by an external third party.

--
Affected Systems:
All systems allowing PPTP connections from an external to internal resource.

--
Attack Scenarios:
The user only needs to initiate a connection to an internal resource.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Disallow PPTP transactions from non-trusted networks to the internal LAN.

--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--
