[Snort-sigs] RE: [Snort-users] SMB login Failure

Horta, Benny BHorta1 at ...1589...
Tue Jun 10 05:33:08 EDT 2003


It would be interested to see I will try it on my network, for some reason
it seems these  types of signatures does not interest anyone. maybe everyone
on the list runs linux :)

-----Original Message-----
From: Andy Wood [mailto:andy.wood at ...1567...]
Sent: Thursday, June 05, 2003 8:21 PM
To: 'snort-sigs at lists.sourceforge.net';
snort-users at lists.sourceforge.net
Subject: [Snort-users] SMB login Failure


	The Cisco IDSs do a good job of having rules to detect internal
attacks, one being SMB Login Failure.  This rule is nice for detecting
servers that have misconfigured services, as well as someone trying to brute
force.  There is no snort rule that detects SMB failures that I have seen.
I have captured a failure, but am not able to tell if I have constructed the
best rule. Can anyone offer any suggestions?  My doubt comes with the Offset
and Depth section, as I'm not quite sure how to determine byte positions
within the Hex patterns.  (The rule does work with both being set to 1)
Thanks.

	Attached is the cap in TCPDUMP format.  Packet 33 is the server's
failure response.

alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
3000004; rev:1;)

alert tcp any 445 -> any any (msg:"SMB Login Failure - Port 445";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
3000005; rev:1;)

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.487 / Virus Database: 286 - Release Date: 6/1/2003
 
  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030610/13ac5c81/attachment.html>


More information about the Snort-sigs mailing list