[Snort-users] how would you log failed windows logins etc?

Gavin Lowe gavin at ...9089...
Fri May 16 13:06:07 EDT 2003


Benny,

 

I use these rules in my local.rules files to monitor failed logon
attempts - I too was surprised they were not standard.  The Message and
sid's are of my own making and really don't mean anything. 

alert tcp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"Possible External
Logon Attempt"; sid: 2766; classtype: unsuccessful-user; priority: 1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"Possible External
File Sharing - Printing"; sid: 2764; classtype: unsuccessful-user;
priority: 1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"Possible External
Active Directory Access"; sid: 2765; classtype: unsuccessful-user;
priority: 1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Possible External
Activity MISC"; sid: 2767; classtype: unsuccessful-user; priority: 1;)

 

 

WARNING:  You will receive a LOT of traffic from these rules.  It is
possible to filter for just the failed status, but I haven't done that
yet.

 

The following is an Event log entry, 4 Snort entries logged to an MS-SQL
database, and the entries from the Snort Alert file associated with a
very recent logon attempt from the outside world.  The generic port
rules above caught the logon attempt 8 minutes before the failed logon
attempt generated the single event log entry.

 

Event Log Entry:

 

Event Type:       Failure Audit

Event Source:    Security

Event Category: Logon/Logoff 

Event ID:           529

Date:                5/16/2003

Time:                12:38:35 PM

User:                NT AUTHORITY\SYSTEM

Computer:         xxxxxxxx

Description:

Logon Failure:

            Reason:                        Unknown user name or bad
password

            User Name:       Administrator

            Domain:                        CHINAGRANDINC

            Logon Type:      3

            Logon Process: NtLmSsp 

            Authentication Package: NTLM

            Workstation Name:        ISA2

 

Snort Data table Entries (from MS-SQL recorded as ASCII)

Entry #1: .....SMBr.....S......................b..PC NETWORK PROGRAM
1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..LANMAN2.1..NT LM
0.12.

Entry #2: .....SMBs.........BSRSPYL
........ at ...9208...`@..+......604..0...+.....7....\".
NTLMSSP..........................W.i.n.d.o.w.s. .2.0.0.0.
.2.1.9.5...W.i.n.d.o.w.s. .2.0.0.0. .5...0.....

Entry #3: ...L.SMBs.........BSRSPYL
.............L..A2......................0........NTLMSSP.........|......
......... at ...9209...
.i.n.i.s.t.r.a.t.o.r.I.S.A.2....J..d..................f....|...7......L.
.h.....7....:.S.D.d...W.i.n.d.o.w.s. .2.0.0.0. .2.1.9.5...W.i.n.d.o.w.s.
.2.0.0.0. .5...0.....

Entry #4: ...D ENEJEEFAEPEJEOFECACACACACACACACA.
EMEPEDEBEMEIEPFDFECACACACACACACA.

 

 

Snort Alert Log

05/16-12:30:02.437435  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:30:03.441190  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:30:03.441247  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:30:04.554075  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:38:31.778379  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:31.778584  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:1025 -> xxx.xxx.xxx.xxx:139

05/16-12:38:31.778654  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:47437 -> xxx.xxx.xxx.xxx:139

05/16-12:38:32.834196  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:32.974164  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:1025 -> xxx.xxx.xxx.xxx:139

05/16-12:38:32.974225  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:47437 -> xxx.xxx.xxx.xxx:139

05/16-12:38:33.091158  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:34.399048  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:36.155648  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:37.275455  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:38.399280  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:38.523242  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:39.589311  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

 

 

A trace of the source IP 218.244.255.99 show it registered Asia Pacific
Network Information Centre in Australia (218.0.0.0 - 218.255.255.255) -
long way from Alberta, Canada.

 

 

Gavin Lowe

Programmer / Network Administrator

glowe at ...9089...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Horta,
Benny
Sent: Friday, May 16, 2003 12:10 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] how would you log failed windows logins etc?

 

I am surprised no one has added to the default signatures failed login
attempts to a windows server how would such a signature be written and
how would someone log any administrator accout logins (ie user
administrator)?

this would be useful to see account churners trying to bruteforce. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030516/1bcb91b9/attachment.html>


More information about the Snort-users mailing list