Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: how would you log failed windows logins etc?

From: "Gavin Lowe" <gavin () vanderwell com>
Date: Fri, 16 May 2003 14:03:54 -0600
Benny,

 

I use these rules in my local.rules files to monitor failed logon
attempts - I too was surprised they were not standard.  The Message and
sid's are of my own making and really don't mean anything. 

alert tcp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"Possible External
Logon Attempt"; sid: 2766; classtype: unsuccessful-user; priority: 1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"Possible External
File Sharing - Printing"; sid: 2764; classtype: unsuccessful-user;
priority: 1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"Possible External
Active Directory Access"; sid: 2765; classtype: unsuccessful-user;
priority: 1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Possible External
Activity MISC"; sid: 2767; classtype: unsuccessful-user; priority: 1;)

 

 

WARNING:  You will receive a LOT of traffic from these rules.  It is
possible to filter for just the failed status, but I haven't done that
yet.

 

The following is an Event log entry, 4 Snort entries logged to an MS-SQL
database, and the entries from the Snort Alert file associated with a
very recent logon attempt from the outside world.  The generic port
rules above caught the logon attempt 8 minutes before the failed logon
attempt generated the single event log entry.

 

Event Log Entry:

 

Event Type:       Failure Audit

Event Source:    Security

Event Category: Logon/Logoff 

Event ID:           529

Date:                5/16/2003

Time:                12:38:35 PM

User:                NT AUTHORITY\SYSTEM

Computer:         xxxxxxxx

Description:

Logon Failure:

            Reason:                        Unknown user name or bad
password

            User Name:       Administrator

            Domain:                        CHINAGRANDINC

            Logon Type:      3

            Logon Process: NtLmSsp 

            Authentication Package: NTLM

            Workstation Name:        ISA2

 

Snort Data table Entries (from MS-SQL recorded as ASCII)

Entry #1: .....SMBr.....S......................b..PC NETWORK PROGRAM
1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..LANMAN2.1..NT LM
0.12.

Entry #2: .....SMBs.........BSRSPYL
........@.......A2.......B...........`@..+......604..0...+.....7....\".
NTLMSSP..........................W.i.n.d.o.w.s. .2.0.0.0.
.2.1.9.5...W.i.n.d.o.w.s. .2.0.0.0. .5...0.....

Entry #3: ...L.SMBs.........BSRSPYL
.............L..A2......................0........NTLMSSP.........|......
.........@.......Z.......t...............C.H.I.N.A.G.R.A.N.D.I.N.C.A.d.m
.i.n.i.s.t.r.a.t.o.r.I.S.A.2....J..d..................f....|...7......L.
.h.....7....:.S.D.d...W.i.n.d.o.w.s. .2.0.0.0. .2.1.9.5...W.i.n.d.o.w.s.
.2.0.0.0. .5...0.....

Entry #4: ...D ENEJEEFAEPEJEOFECACACACACACACACA.
EMEPEDEBEMEIEPFDFECACACACACACACA.

 

 

Snort Alert Log

05/16-12:30:02.437435  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:30:03.441190  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:30:03.441247  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:30:04.554075  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445

05/16-12:38:31.778379  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:31.778584  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:1025 -> xxx.xxx.xxx.xxx:139

05/16-12:38:31.778654  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:47437 -> xxx.xxx.xxx.xxx:139

05/16-12:38:32.834196  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:32.974164  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:1025 -> xxx.xxx.xxx.xxx:139

05/16-12:38:32.974225  [**] [1:2764:0] Possible External File Sharing -
Printing [**] [Classification: Unsuccessful User Privilege Gain]
[Priority: 1] {TCP} 218.244.255.99:47437 -> xxx.xxx.xxx.xxx:139

05/16-12:38:33.091158  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:34.399048  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:36.155648  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:37.275455  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:38.399280  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:38.523242  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

05/16-12:38:39.589311  [**] [1:2767:0] Possible External Activity MISC
[**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1]
{TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445

 

 

A trace of the source IP 218.244.255.99 show it registered Asia Pacific
Network Information Centre in Australia (218.0.0.0 - 218.255.255.255) -
long way from Alberta, Canada.

 

 

Gavin Lowe

Programmer / Network Administrator

glowe () vanderwell com

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Horta,
Benny
Sent: Friday, May 16, 2003 12:10 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] how would you log failed windows logins etc?

 

I am surprised no one has added to the default signatures failed login
attempts to a windows server how would such a signature be written and
how would someone log any administrator accout logins (ie user
administrator)?

this would be useful to see account churners trying to bruteforce.
Previous By Date Next
Previous By Thread Next

Current thread: