[Snort-users] Windows Logon Failures

kimhick at ...1457... kimhick at ...1457...
Wed Jan 26 11:12:01 EST 2005


Thanks to everyone who gave advice.  If nothing else I am learning a lot.  I set the new rules but I am not getting any alarms but my event view is getting pounded by more failed logon attempts.  This time by a device call \\ENDO.

My snort is working I am getting other netbios alarms from another rule set:

[**] [1:530:3] NETBIOS NT NULL session [**]
[Classification: Attempted Information Leak] [Priority: 2] 
01/26-12:22:32.905683 192.168.38.45:1382 -> 172.30.10.12:139
TCP TTL:123 TOS:0x0 ID:35000 IpLen:20 DgmLen:216 DF
***AP*** Seq: 0x37BEFB5  Ack: 0xC460D626  Win: 0x21D1  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS204][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347][Xref => http://www.securityfocus.com/bid/1163]

[**] [1:538:1] NETBIOS SMB IPC$access [**]
[Classification: Attempted Information Leak] [Priority: 2] 
01/26-12:22:32.905683 192.168.38.45:1382 -> 172.30.10.12:139
TCP TTL:123 TOS:0x0 ID:35000 IpLen:20 DgmLen:216 DF
***AP*** Seq: 0x37BEFB5  Ack: 0xC460D626  Win: 0x21D1  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS334]

These I think are from old Windows NT servers trying to establish a null or anonymous connection.  I think that is normal.

Is there any other rules out there or is it possible to right a new rule that can catch this event so I can find a source IP address?

Here is the latest event:

Event Type:	Audit Failure
Event Source:	Security
Event Category:	Account Logon
Event ID:	680
Date:		1/26/2005
Time:		7:22:29 AM
User:		SYSTEM
Computer:	COM1
Description:
Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	uucp
 Source Workstation:	\\ENDO
 Error Code:	0xC0000064


Thanks,

Brian





More information about the Snort-users mailing list