[Snort-sigs] Snort and AD logons
lori.ruotolo at ...12...
Fri May 19 07:18:01 EDT 2006
Active Directory should not send any information between machines in
clear-text if it is working correctly. Unfortunately, this means that you
won't be able to catch where the offending logins are coming from via Snort.
You have options though, between Windows auditing and monitoring tools, you
should be able to get the information you need.
>From: "Michael Miller" <michael.miller at ...1811...>
>To: <snort-sigs at lists.sourceforge.net>
>Subject: [Snort-sigs] Snort and AD logons
>Date: Wed, 17 May 2006 12:32:17 -0600
>We've got an unusual number of administrator logon attempts, but the
>sysm logs don't provide much information beyond 'badPwdCount
>incremented'. I'm not seeing anything in the Snort rules that looks
>into...what, LDAP? Active Directory? Any ideas how I can isolate this
>activity to an IP address to research further?
Dont just search. Find. Check out the new MSN Search!
More information about the Snort-sigs