Snort mailing list archives
RE: SMB login Failure
From: "Horta, Benny" <BHorta1 () dadeschools net>
Date: Mon, 9 Jun 2003 11:05:11 -0400
It would be interested to see I will try it on my network, for some reason it seems these types of signatures does not interest anyone. maybe everyone on the list runs linux :) -----Original Message----- From: Andy Wood [mailto:andy.wood () sptrm com] Sent: Thursday, June 05, 2003 8:21 PM To: 'snort-sigs () lists sourceforge net'; snort-users () lists sourceforge net Subject: [Snort-users] SMB login Failure The Cisco IDSs do a good job of having rules to detect internal attacks, one being SMB Login Failure. This rule is nice for detecting servers that have misconfigured services, as well as someone trying to brute force. There is no snort rule that detects SMB failures that I have seen. I have captured a failure, but am not able to tell if I have constructed the best rule. Can anyone offer any suggestions? My doubt comes with the Offset and Depth section, as I'm not quite sure how to determine byte positions within the Hex patterns. (The rule does work with both being set to 1) Thanks. Attached is the cap in TCPDUMP format. Packet 33 is the server's failure response. alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid 3000004; rev:1;) alert tcp any 445 -> any any (msg:"SMB Login Failure - Port 445"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid 3000005; rev:1;) --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.487 / Virus Database: 286 - Release Date: 6/1/2003
Current thread:
- SMB login Failure Andy Wood (Jun 05)
- <Possible follow-ups>
- RE: SMB login Failure Horta, Benny (Jun 09)