[Snort-users] Windows Logon Failures

Brian Kimsey-Hickman kimhick at ...11827...
Wed Jan 26 05:20:01 EST 2005


We have a Window 2003 domain and we are see a lot of logon failures
from apparently fictitious hosts.  Here is an example from the event
viewer:

Event Type:	Audit Failure
Event Source:	Security
Event Category:	Account Logon
Event ID:	680
Date:		1/24/2005
Time:		10:26:33 AM
User:		SYSTEM
Computer:	DC1
Description:
Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	root
 Source Workstation:	\\RYDER
 Error Code:	0xC0000064
 
In this case \\RYDER does not resolve through DNS or WINS so we don't
know where these are coming from.

We have snort up and running but what rules would we use that could
give us an IP number on these hosts.

Any help or advice would be appreciated.

Thanks,

Brian




More information about the Snort-users mailing list