[Snort-users] Windows Logon Failures

Nerijus Krukauskas nk99 at ...10637...
Wed Jan 26 05:50:03 EST 2005


Brian Kimsey-Hickman wrote:
> We have a Window 2003 domain and we are see a lot of logon failures
> from apparently fictitious hosts.  Here is an example from the event
> viewer:
> 
> Event Type:	Audit Failure
> Event Source:	Security
> Event Category:	Account Logon
> Event ID:	680
> Date:		1/24/2005
> Time:		10:26:33 AM
> User:		SYSTEM
> Computer:	DC1
> Description:
> Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>  Logon account:	root
>  Source Workstation:	\\RYDER
>  Error Code:	0xC0000064
>  
> In this case \\RYDER does not resolve through DNS or WINS so we don't
> know where these are coming from.
> 
> We have snort up and running but what rules would we use that could
> give us an IP number on these hosts.
> 
> Any help or advice would be appreciated.
> 
> Thanks,
> 
> Brian

   These two should provide some help:

sid:2923 || NETBIOS SMB repeated logon failure
sid:2924 || NETBIOS SMB-DS repeated logon failure


-- 
http://nk99.org/

... What I tell you three times is true.





More information about the Snort-users mailing list