[Snort-users] SNORT Rule for netbios brute force break-in

Shaffer, Paul D paul.d.shaffer at ...178...
Wed Feb 11 08:17:11 EST 2004


Robert, trying to control or mitigate this behavior with Snort may not be the best approach.  Check out the TechNet article at:
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
 
It explains this issue (among others) in terms of some registry values that should alleviate the problem.  It looks like adjusting your LockoutDuration and ObservationWindow settings would better address this problem.
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Robert Caplan
Sent: Wednesday, February 11, 2004 7:57 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] SNORT Rule for netbios brute force break-in




My network administrators are constantly flooded with requests to reset Windows accounts which have been locked out because of brute force/dictionary breakin accounts on the netbios port.  Intrudors are able to enumerate the usernames and by brute force attempt to gain access.  Does anyone know of a Snort rule which will detect this behavior?
 
Thanks,
 
Robert Caplan
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040211/978b5473/attachment.html>


More information about the Snort-users mailing list