RE: SMB login Failure

["Horta, Benny" <BHorta1 () dadeschools net>]

It would be interested to see I will try it on my network, for some reason
it seems these  types of signatures does not interest anyone. maybe everyone
on the list runs linux :)

-----Original Message-----
From: Andy Wood [mailto:andy.wood () sptrm com]
Sent: Thursday, June 05, 2003 8:21 PM
To: 'snort-sigs () lists sourceforge net';
snort-users () lists sourceforge net
Subject: [Snort-users] SMB login Failure


        The Cisco IDSs do a good job of having rules to detect internal
attacks, one being SMB Login Failure.  This rule is nice for detecting
servers that have misconfigured services, as well as someone trying to brute
force.  There is no snort rule that detects SMB failures that I have seen.
I have captured a failure, but am not able to tell if I have constructed the
best rule. Can anyone offer any suggestions?  My doubt comes with the Offset
and Depth section, as I'm not quite sure how to determine byte positions
within the Hex patterns.  (The rule does work with both being set to 1)
Thanks.

        Attached is the cap in TCPDUMP format.  Packet 33 is the server's
failure response.

alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
3000004; rev:1;)

alert tcp any 445 -> any any (msg:"SMB Login Failure - Port 445";
flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
3000005; rev:1;)

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.487 / Virus Database: 286 - Release Date: 6/1/2003