[Snort-sigs] SMB Login Failure

Andy Wood andy.wood at ...1567...
Fri Jun 6 05:16:21 EDT 2003


	The Cisco IDSs do a good job of detecting internal attacks, one
being SMB Login Failures.  This rule is nice for detecting servers that have
misconfigured services, not to mention someone trying to brute force.  There
is no snort rule that detects SMB failures that I have seen.  I have
captured a failure, but am not able to tell if I have constructed the best
rule. Can anyone offer any suggestions?  My doubt comes with the Offset and
Depth section, as I'm not quite sure how to determine byte positions within
the Hex patterns.  (The rule does work with both being set to 1) Thanks.

	Attached is the cap in TCPDUMP format.  Packet 33 is the server's
failure response.

alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
3000004; rev:1;)

RULE-LOCKED:alert tcp any 445 -> any any (msg:"SMB Login Failure - Port
445"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth
1; sid 3000005; rev:1;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb_fail.dmp
Type: application/octet-stream
Size: 4996 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030606/18afb0fe/attachment.obj>


More information about the Snort-sigs mailing list