[Snort-users] Windows Logon Failures
nk99 at ...10637...
Wed Jan 26 05:50:03 EST 2005
Brian Kimsey-Hickman wrote:
> We have a Window 2003 domain and we are see a lot of logon failures
> from apparently fictitious hosts. Here is an example from the event
> Event Type: Audit Failure
> Event Source: Security
> Event Category: Account Logon
> Event ID: 680
> Date: 1/24/2005
> Time: 10:26:33 AM
> User: SYSTEM
> Computer: DC1
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: root
> Source Workstation: \\RYDER
> Error Code: 0xC0000064
> In this case \\RYDER does not resolve through DNS or WINS so we don't
> know where these are coming from.
> We have snort up and running but what rules would we use that could
> give us an IP number on these hosts.
> Any help or advice would be appreciated.
These two should provide some help:
sid:2923 || NETBIOS SMB repeated logon failure
sid:2924 || NETBIOS SMB-DS repeated logon failure
... What I tell you three times is true.
More information about the Snort-users