![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Detecting administrative share access
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sun, 27 Jan 2019 13:01:30 +0000
Do you have a sample of the traffic that you can share? Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org> on behalf of Tewodros Ambasa via Snort-users <snort-users () lists snort org> Reply-To: Tewodros Ambasa <black.ambasa () gmail com> Date: Sunday, January 27, 2019 at 5:06 AM To: "snort-users () lists snort org" <snort-users () lists snort org> Subject: Re: [Snort-users] Detecting administrative share access Hello. I have been trying to detect administrative share access on my network. I have read that the dcerpc2 processor can detect administrative share access and seems to be enabled by default in the snort.conf but I do not get any alerts when testing it by accessing \\192.168.1.10\C$ of \\192.168.1.10\ADMIN$. I have also created a custom rule to detect administrative access: alert any any -> $HOME_NET 445 (msg:"Admin share access"; pcre:"/(ADMIN\$)|(C\$)/i"; sid:1000200; rev:001; classtype:misc-activity;) However, no alerts are triggered. What could the issue be?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Detecting administrative share access Tewodros Ambasa via Snort-users (Jan 27)
- Re: Detecting administrative share access Al Lewis (allewi) via Snort-users (Jan 27)
- Re: Detecting administrative share access Dorian ROSSE via Snort-users (Jan 27)
- <Possible follow-ups>
- Re: Detecting administrative share access Tewodros Ambasa via Snort-users (Jan 28)