[Snort-sigs] rule documentation for NETBIOS SMB C$ access

Josh.Sakofsky at ...1573... Josh.Sakofsky at ...1573...
Mon Jun 9 08:46:05 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: NETBIOS SMB C$ access

--
Sid: 533

--
Summary: A remote user has attempted to access the C$ default 
administrative share of a Windows host.

--
Impact: Serious

--
Detailed Information: By default, Windows hosts have default 
administrative shares of the local hard drives using the
format %DRIVE_LETTER% + $. Anybody with administrative rights can remotely 
access the share.

--
Affected Systems: Windows hosts.

--
Attack Scenarios: An attacker may be attempting to access files located on 
the C drive of the host.

--
Ease of Attack: Easy

--
False Positives: None Known

--
False Negatives: None Known

--
Corrective Action: Disallow Netbios access from external networks (tcp 
port 139).

--
Contributors: Original rule writer unknown.
              Josh Sakofsky
-- 
Additional References: http://www.whitehats.com/info/IDS339
 http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030609/c5a77bf2/attachment.html>


More information about the Snort-sigs mailing list