[Snort-users] Detecting administrative share access

Al Lewis (allewi) allewi at cisco.com
Sun Jan 27 08:01:30 EST 2019

Do you have a sample of the traffic that you can share?

Albert Lewis
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Tewodros Ambasa via Snort-users <snort-users at lists.snort.org>
Reply-To: Tewodros Ambasa <black.ambasa at gmail.com>
Date: Sunday, January 27, 2019 at 5:06 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: Re: [Snort-users] Detecting administrative share access

Hello. I have been trying to detect administrative share access on my network. I have read that the dcerpc2 processor can detect administrative share access and seems to be enabled by default in the snort.conf but I do not get any alerts when testing it by accessing \\\C$ of \\\ADMIN$.

I have also created a custom rule to detect administrative access:

alert any any -> $HOME_NET 445 (msg:"Admin share access"; pcre:"/(ADMIN\$)|(C\$)/i"; sid:1000200; rev:001; classtype:misc-activity;)

However, no alerts are triggered. What could the issue be?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190127/f186dbbd/attachment.html>

More information about the Snort-users mailing list