Snort mailing list archives
RE: how would you log failed windows logins etc?
From: "Gavin Lowe" <gavin () vanderwell com>
Date: Fri, 16 May 2003 14:03:54 -0600
Benny, I use these rules in my local.rules files to monitor failed logon attempts - I too was surprised they were not standard. The Message and sid's are of my own making and really don't mean anything. alert tcp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"Possible External Logon Attempt"; sid: 2766; classtype: unsuccessful-user; priority: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"Possible External File Sharing - Printing"; sid: 2764; classtype: unsuccessful-user; priority: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"Possible External Active Directory Access"; sid: 2765; classtype: unsuccessful-user; priority: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Possible External Activity MISC"; sid: 2767; classtype: unsuccessful-user; priority: 1;) WARNING: You will receive a LOT of traffic from these rules. It is possible to filter for just the failed status, but I haven't done that yet. The following is an Event log entry, 4 Snort entries logged to an MS-SQL database, and the entries from the Snort Alert file associated with a very recent logon attempt from the outside world. The generic port rules above caught the logon attempt 8 minutes before the failed logon attempt generated the single event log entry. Event Log Entry: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 5/16/2003 Time: 12:38:35 PM User: NT AUTHORITY\SYSTEM Computer: xxxxxxxx Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: CHINAGRANDINC Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: ISA2 Snort Data table Entries (from MS-SQL recorded as ASCII) Entry #1: .....SMBr.....S......................b..PC NETWORK PROGRAM 1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..LANMAN2.1..NT LM 0.12. Entry #2: .....SMBs.........BSRSPYL ........@.......A2.......B...........`@..+......604..0...+.....7....\". NTLMSSP..........................W.i.n.d.o.w.s. .2.0.0.0. .2.1.9.5...W.i.n.d.o.w.s. .2.0.0.0. .5...0..... Entry #3: ...L.SMBs.........BSRSPYL .............L..A2......................0........NTLMSSP.........|...... .........@.......Z.......t...............C.H.I.N.A.G.R.A.N.D.I.N.C.A.d.m .i.n.i.s.t.r.a.t.o.r.I.S.A.2....J..d..................f....|...7......L. .h.....7....:.S.D.d...W.i.n.d.o.w.s. .2.0.0.0. .2.1.9.5...W.i.n.d.o.w.s. .2.0.0.0. .5...0..... Entry #4: ...D ENEJEEFAEPEJEOFECACACACACACACACA. EMEPEDEBEMEIEPFDFECACACACACACACA. Snort Alert Log 05/16-12:30:02.437435 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445 05/16-12:30:03.441190 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445 05/16-12:30:03.441247 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445 05/16-12:30:04.554075 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:45488 -> xxx.xxx.xxx.xxx:445 05/16-12:38:31.778379 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:31.778584 [**] [1:2764:0] Possible External File Sharing - Printing [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:1025 -> xxx.xxx.xxx.xxx:139 05/16-12:38:31.778654 [**] [1:2764:0] Possible External File Sharing - Printing [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47437 -> xxx.xxx.xxx.xxx:139 05/16-12:38:32.834196 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:32.974164 [**] [1:2764:0] Possible External File Sharing - Printing [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:1025 -> xxx.xxx.xxx.xxx:139 05/16-12:38:32.974225 [**] [1:2764:0] Possible External File Sharing - Printing [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47437 -> xxx.xxx.xxx.xxx:139 05/16-12:38:33.091158 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:34.399048 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:36.155648 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:37.275455 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:38.399280 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:38.523242 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 05/16-12:38:39.589311 [**] [1:2767:0] Possible External Activity MISC [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 218.244.255.99:47435 -> xxx.xxx.xxx.xxx:445 A trace of the source IP 218.244.255.99 show it registered Asia Pacific Network Information Centre in Australia (218.0.0.0 - 218.255.255.255) - long way from Alberta, Canada. Gavin Lowe Programmer / Network Administrator glowe () vanderwell com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Horta, Benny Sent: Friday, May 16, 2003 12:10 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] how would you log failed windows logins etc? I am surprised no one has added to the default signatures failed login attempts to a windows server how would such a signature be written and how would someone log any administrator accout logins (ie user administrator)? this would be useful to see account churners trying to bruteforce.
Current thread:
- how would you log failed windows logins etc? Horta, Benny (May 16)
- RE: how would you log failed windows logins etc? Gavin Lowe (May 16)