A whole bunch of RDP users starting losing connections with RDP Error 0x609 when traversing Cisco Firepower Snort because of an update that was sent out by Cisco Talos.
Here is how to fix this without disabling your entire IPS inspection.
First, here is the update that caused this issue:
let’s take a look at the rules that caused this issue.
From your FMC, choose Policies>Intrusion
Open your IPS policy by clicking on the Pencil on the right hand Side of your IPS policy
Now go down to Policy Layers> My Changes>Rules and then scroll down on the rule accordion to Rule Updates
Click on the newly installed update and then click on New
In the Filter Bar, add the letters RDP to the end of the current search and from 7 to 28 rules will show up, depending on your rule set.
Click on the top four rules (SIDs: 50186-50189), then go to Rule State and choose Disable.
Save your Policy and redeploy. This will skip inspection for those four rules, but you will still have inspection for all other enabled rules.
The four rules have content replace keywords in them. I believe they were made to modify the RDP handshake to allow the original rule to actually see the exploit. This was replacing the content in all RDP connections.