[Snort-users] Detecting administrative share access

Tewodros Ambasa black.ambasa at gmail.com
Sun Jan 27 05:02:51 EST 2019


Hello. I have been trying to detect administrative share access on my
network. I have read that the dcerpc2 processor can detect administrative
share access and seems to be enabled by default in the snort.conf but I do
not get any alerts when testing it by accessing \\192.168.1.10\C$ of
\\192.168.1.10\ADMIN$.

I have also created a custom rule to detect administrative access:

alert any any -> $HOME_NET 445 (msg:"Admin share access";
pcre:"/(ADMIN\$)|(C\$)/i"; sid:1000200; rev:001; classtype:misc-activity;)

However, no alerts are triggered. What could the issue be?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190127/bf231734/attachment.html>


More information about the Snort-users mailing list