[Snort-users] Detecting administrative share access
dorianbrice at hotmail.fr
Sun Jan 27 08:04:20 EST 2019
Have you try other socket than Samba ?
You can try TFTP 😉,
There are a lot of share socket !!!
De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Tewodros Ambasa via Snort-users <snort-users at lists.snort.org>
Envoyé : Sunday, January 27, 2019 11:02:51 AM
À : snort-users at lists.snort.org
Objet : Re: [Snort-users] Detecting administrative share access
Hello. I have been trying to detect administrative share access on my network. I have read that the dcerpc2 processor can detect administrative share access and seems to be enabled by default in the snort.conf but I do not get any alerts when testing it by accessing \\192.168.1.10\C$ of \\192.168.1.10\ADMIN$.
I have also created a custom rule to detect administrative access:
alert any any -> $HOME_NET 445 (msg:"Admin share access"; pcre:"/(ADMIN\$)|(C\$)/i"; sid:1000200; rev:001; classtype:misc-activity;)
However, no alerts are triggered. What could the issue be?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users