SMB login Failure

[Andy Wood <andy.wood () sptrm com>]

        The Cisco IDSs do a good job of having rules to detect internal
attacks, one being SMB Login Failure.  This rule is nice for detecting
servers that have misconfigured services, as well as someone trying to brute
force.  There is no snort rule that detects SMB failures that I have seen.
I have captured a failure, but am not able to tell if I have constructed the
best rule. Can anyone offer any suggestions?  My doubt comes with the Offset
and Depth section, as I'm not quite sure how to determine byte positions
within the Hex patterns.  (The rule does work with both being set to 1)
Thanks.

        Attached is the cap in TCPDUMP format.  Packet 33 is the server's
failure response.

alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
3000004; rev:1;)

alert tcp any 445 -> any any (msg:"SMB Login Failure - Port 445";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
3000005; rev:1;)

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.487 / Virus Database: 286 - Release Date: 6/1/2003

Attachment: smb_fail.dmp
Description: