Snort mailing list archives
SMB login Failure
From: Andy Wood <andy.wood () sptrm com>
Date: Thu, 5 Jun 2003 20:21:28 -0400
The Cisco IDSs do a good job of having rules to detect internal attacks, one being SMB Login Failure. This rule is nice for detecting servers that have misconfigured services, as well as someone trying to brute force. There is no snort rule that detects SMB failures that I have seen. I have captured a failure, but am not able to tell if I have constructed the best rule. Can anyone offer any suggestions? My doubt comes with the Offset and Depth section, as I'm not quite sure how to determine byte positions within the Hex patterns. (The rule does work with both being set to 1) Thanks. Attached is the cap in TCPDUMP format. Packet 33 is the server's failure response. alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid 3000004; rev:1;) alert tcp any 445 -> any any (msg:"SMB Login Failure - Port 445"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid 3000005; rev:1;) --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.487 / Virus Database: 286 - Release Date: 6/1/2003
Attachment:
smb_fail.dmp
Description:
Current thread:
- SMB login Failure Andy Wood (Jun 05)
- <Possible follow-ups>
- RE: SMB login Failure Horta, Benny (Jun 09)