[Snort-users] How to detect drive letters accessed?
dhondel at ...3841...
Thu Jan 17 06:56:27 EST 2002
I've not sniffed a connection like this to see what is sent, but:
- I'm assuming that you're running a Windows system
- You don't mention a share name
In other words, the "k:\" probably is never sent over the network.
Perhaps you should try detecting "k$\" or whatever the share name is.
For example if I run the command "net use * \\<ip>\k$", I don't
think that my machine ever really knows that I'm using a drive that is
referred to as k: on the target system....
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Sheahan,
Sent: Wednesday, January 16, 2002 5:20 PM
To: Snort List (E-mail)
Subject: [Snort-users] How to detect drive letters accessed?
Running Snort 1.8.1 B78 on RH Linux 7.0.
Using Snort, I am trying to detect when someone accesses a certain drive on
one of my servers. For example if I have a server that has a drive letter K:
that no one from the outside world should see or be accessing, I'd like to
create a rule in Snort that checks for "K:\" in a packet. The trouble is, I
can't just create a rule that searches for "K:\" because the rule doesn't
work. I think the colon screws it up or something. Someone in this forum
once mentioned putting some type of code in for the colon and backslash
instead such as creating a rule to look for "K|C3A|" or something like that,
but all recommendations from that person failed.
Does anyone know how I can create a rule to search for "K:\" (can be any
drive letter....it's the colon and backslash that are important)?
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users