[Snort-sigs] Kerberos login failure detection

Sharif Uddin Sharif.Uddin at ...3955...
Mon Sep 15 10:28:07 EDT 2014


I would like to set up an alert for this in my network. I have found the following guide but the alert is not producing any results


# ad login failed
alert tcp any 88 -> any any (msg:"Possible domain user spraying detected"; \
flow:established, to_client; \
content:"|05|"; offset:14; depth:15; \
content:"|1e|"; distance:4; within:1; \
content:"|18|"; distance:30; within:1; \
detection_filter:track by_dst, count 1, seconds 60; \
reference:url,foxtrot7security.blogspot.com/2011/12/defeat-domain-user-spraying-brute_28.html; \
classtype:attempted-user; \
sid:1000002; \

pcap attached.

Sharif Uddin
Development/Support Engineer

Spectrum Geo Ltd
Dukes Court, Duke Street
Woking, Surrey
GU21 5BH

Tel: +44 (0) 1483 730201
Fax: +44 (0) 1483 762620


IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140915/e0158b49/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pan.pcap
Type: application/octet-stream
Size: 36265 bytes
Desc: pan.pcap
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140915/e0158b49/attachment.obj>

More information about the Snort-sigs mailing list