Snort mailing list archives
RE: SNORT Rule for netbios brute force break-in
From: "Shaffer, Paul D" <paul.d.shaffer () lmco com>
Date: Wed, 11 Feb 2004 09:15:47 -0700
Robert, trying to control or mitigate this behavior with Snort may not be the best approach. Check out the TechNet article at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp It explains this issue (among others) in terms of some registry values that should alleviate the problem. It looks like adjusting your LockoutDuration and ObservationWindow settings would better address this problem. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Robert Caplan Sent: Wednesday, February 11, 2004 7:57 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SNORT Rule for netbios brute force break-in My network administrators are constantly flooded with requests to reset Windows accounts which have been locked out because of brute force/dictionary breakin accounts on the netbios port. Intrudors are able to enumerate the usernames and by brute force attempt to gain access. Does anyone know of a Snort rule which will detect this behavior? Thanks, Robert Caplan
Current thread:
- SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- <Possible follow-ups>
- RE: SNORT Rule for netbios brute force break-in Shaffer, Paul D (Feb 11)
- SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- RE: SNORT Rule for netbios brute force break-in larosa, vjay (Feb 11)
- Base 64 encoding phorvati (Mar 04)