[Snort-users] SNORT Rule for netbios brute force break-in

Shaffer, Paul D paul.d.shaffer at ...178...
Wed Feb 11 08:17:11 EST 2004

Robert, trying to control or mitigate this behavior with Snort may not be the best approach.  Check out the TechNet article at:
It explains this issue (among others) in terms of some registry values that should alleviate the problem.  It looks like adjusting your LockoutDuration and ObservationWindow settings would better address this problem.
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Robert Caplan
Sent: Wednesday, February 11, 2004 7:57 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] SNORT Rule for netbios brute force break-in

My network administrators are constantly flooded with requests to reset Windows accounts which have been locked out because of brute force/dictionary breakin accounts on the netbios port.  Intrudors are able to enumerate the usernames and by brute force attempt to gain access.  Does anyone know of a Snort rule which will detect this behavior?
Robert Caplan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040211/978b5473/attachment.html>

More information about the Snort-users mailing list