[Snort-users] Help request: SAMBA probing --> What to do?

Matthew R. Versaggi, MS, MBA matt at ...73...
Wed Jul 19 13:12:01 EDT 2000


Hi folks,

I'm new to using SNORT and have successfully installed it in my
experimental FreeBSD box. I also have SAMBA running on this system which
seems to be a favorite probe target among the script kiddies out there
who are probing this network block.

I want to be able to detect specific samba probes and intrusion attempts
with out risking turning on the Samba alerts option in SNORT (for
obvious reasons). Aside from gathering IP addresses from my log.smb file
ona regular basis, I'm not sure how to write a SNORT rule to
specifically detect these types of attacks.

Can anyone give me a pointer or two? Many thanks in advance! ;-)

-matt


PS: Here's a copy of my log.smb file capturing a probe coming from
64.8.5.2 (FYI: my log.nmb file is always empty)

[2000/07/19 01:59:01, 1] smbd/files.c:file_init(216)
  file_init: Information only: requested 10000 open files, 1054 are
available.
[2000/07/19 01:59:01, 0] lib/pidfile.c:pidfile_create(86)
  ERROR: smbd is already running. File
/usr/local/samba/var/locks/smbd.pid exists and process id 195 is
running.
[2000/07/19 03:21:58, 1] lib/util_sock.c:client_name(1007)
  Gethostbyaddr failed for 64.8.5.2
[2000/07/19 03:21:58, 0] lib/access.c:check_access(262)
  Denied connection from 64.8.5.2 (64.8.5.2)
[2000/07/19 03:21:58, 1] smbd/process.c:process_smb(611)
  Connection denied from 64.8.5.2
[2000/07/19 03:21:58, 0] lib/util_sock.c:write_socket_data(540)
  write_socket_data: write failure. Error = Broken pipe
[2000/07/19 03:21:58, 0] lib/util_sock.c:write_socket(566)
  write_socket: Error writing 5 bytes to socket 6: ERRNO = Broken pipe
[2000/07/19 03:21:58, 0] lib/util_sock.c:send_smb(754)
  Error writing 5 bytes to client. -1. Exiting


-- 
####################################################
Matthew R. Versaggi, Founder & President
Versaggi Information Systems, Inc.
Adjunct Professor of eBusiness DePaul University
Email: mailto:matt at ...73... 
URL: http://www.dpu-ebiz.org 	       (Academic 1)
URL: http://www.versaggi.net/ecommerce (Academic 2)
####################################################




More information about the Snort-users mailing list