Snort mailing list archives
Re: Kerberos login failure detection
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 15 Sep 2014 14:47:15 -0400
On 9/15/2014 10:28 AM, Sharif Uddin wrote:
Hello I would like to set up an alert for this in my network. I have found the following guide but the alert is not producing any results http://foxtrot7security.blogspot.co.uk/2011/12/defeat-domain-user-spraying-brute_28.html # ad login failed alert tcp any 88 -> any any (msg:"Possible domain user spraying detected"; \ flow:established, to_client; \ content:"|05|"; offset:14; depth:15; \ content:"|1e|"; distance:4; within:1; \ content:"|18|"; distance:30; within:1; \ detection_filter:track by_dst, count 1, seconds 60; \ reference:url,foxtrot7security.blogspot.com/2011/12/defeat-domain-user-spraying-brute_28.html; \ classtype:attempted-user; \ sid:1000002; \ rev:0;)
firstly, what version of snort are you using? in think your problem is going to stem from the combined "offset", "depth", "distance" and "within" options... i say this because how they operate has changed in recent versions of snort as compared to that which was available back in December of 2011... the rule might work with the use of one of the "raw*" modifiers or a slightly different manner of specifying where the data is to be found in the buffer it is contained in... hopefully this helps point you in the right direction ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Kerberos login failure detection Sharif Uddin (Sep 15)
- Re: Kerberos login failure detection waldo kitty (Sep 15)