[Snort-sigs] SMB Login Failure
andy.wood at ...1567...
Fri Jun 6 05:16:21 EDT 2003
The Cisco IDSs do a good job of detecting internal attacks, one
being SMB Login Failures. This rule is nice for detecting servers that have
misconfigured services, not to mention someone trying to brute force. There
is no snort rule that detects SMB failures that I have seen. I have
captured a failure, but am not able to tell if I have constructed the best
rule. Can anyone offer any suggestions? My doubt comes with the Offset and
Depth section, as I'm not quite sure how to determine byte positions within
the Hex patterns. (The rule does work with both being set to 1) Thanks.
Attached is the cap in TCPDUMP format. Packet 33 is the server's
alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
RULE-LOCKED:alert tcp any 445 -> any any (msg:"SMB Login Failure - Port
445"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth
1; sid 3000005; rev:1;)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4996 bytes
Desc: not available
More information about the Snort-sigs