Re: Detecting administrative share access

[Dorian ROSSE via Snort-users <snort-users () lists snort org>]

Have you try other socket than Samba ?

You can try TFTP 😉,

There are a lot of share socket !!!

Regards.


Dorian ROSSE.

________________________________
De : Snort-users <snort-users-bounces () lists snort org> de la part de Tewodros Ambasa via Snort-users <snort-users () 
lists snort org>
Envoyé : Sunday, January 27, 2019 11:02:51 AM
À : snort-users () lists snort org
Objet : Re: [Snort-users] Detecting administrative share access

Hello. I have been trying to detect administrative share access on my network. I have read that the dcerpc2 processor 
can detect administrative share access and seems to be enabled by default in the snort.conf but I do not get any alerts 
when testing it by accessing \\192.168.1.10\C$ of \\192.168.1.10\ADMIN$.

I have also created a custom rule to detect administrative access:

alert any any -> $HOME_NET 445 (msg:"Admin share access"; pcre:"/(ADMIN\$)|(C\$)/i"; sid:1000200; rev:001; 
classtype:misc-activity;)

However, no alerts are triggered. What could the issue be?



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette