[Snort-users] Windows Logon Failures
kimhick at ...11827...
Wed Jan 26 05:20:01 EST 2005
We have a Window 2003 domain and we are see a lot of logon failures
from apparently fictitious hosts. Here is an example from the event
Event Type: Audit Failure
Event Source: Security
Event Category: Account Logon
Event ID: 680
Time: 10:26:33 AM
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: root
Source Workstation: \\RYDER
Error Code: 0xC0000064
In this case \\RYDER does not resolve through DNS or WINS so we don't
know where these are coming from.
We have snort up and running but what rules would we use that could
give us an IP number on these hosts.
Any help or advice would be appreciated.
More information about the Snort-users