[Snort-sigs] Snort and AD logons

Lorine Ruotolo lori.ruotolo at ...12...
Fri May 19 07:18:01 EDT 2006

Active Directory should not send any information between machines in 
clear-text if it is working correctly.  Unfortunately, this means that you 
won't be able to catch where the offending logins are coming from via Snort.

You have options though, between Windows auditing and monitoring tools, you 
should be able to get the information you need.

>From: "Michael Miller" <michael.miller at ...1811...>
>To: <snort-sigs at lists.sourceforge.net>
>Subject: [Snort-sigs] Snort and AD logons
>Date: Wed, 17 May 2006 12:32:17 -0600
>We've got an unusual number of administrator logon attempts, but the
>sysm logs don't provide much information beyond 'badPwdCount
>incremented'. I'm not seeing anything in the Snort rules that looks
>into...what, LDAP? Active Directory? Any ideas how I can isolate this
>activity to an IP address to research further?

Don’t just search. Find. Check out the new MSN Search! 

More information about the Snort-sigs mailing list