[Snort-users] Detecting administrative share access

Tewodros Ambasa black.ambasa at gmail.com
Mon Jan 28 13:25:48 EST 2019

I am monitoring administrative share access that occurs on port 445, I am
not monitoring other ports like TFTP.

The initial rule was submitted erroneously. The corrected rule, which still
does not get triggered when administrative shares are accessed, is below:

alert tcp any any -> $HOME_NET 445 (msg:"Admin share access";
pcre:"/(\\ADMIN\$)|(\\C\$)/i"; sid:1000200; rev:001;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190128/aadc17ea/attachment.html>

More information about the Snort-users mailing list