Snort mailing list archives

RE: SNORT Rule for netbios brute force break-in

From: "Shaffer, Paul D" <paul.d.shaffer () lmco com>
Date: Wed, 11 Feb 2004 09:15:47 -0700

Robert, trying to control or mitigate this behavior with Snort may not be the best approach.  Check out the TechNet 
article at:
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
 
It explains this issue (among others) in terms of some registry values that should alleviate the problem.  It looks 
like adjusting your LockoutDuration and ObservationWindow settings would better address this problem.
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Robert 
Caplan
Sent: Wednesday, February 11, 2004 7:57 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SNORT Rule for netbios brute force break-in




My network administrators are constantly flooded with requests to reset Windows accounts which have been locked out 
because of brute force/dictionary breakin accounts on the netbios port.  Intrudors are able to enumerate the usernames 
and by brute force attempt to gain access.  Does anyone know of a Snort rule which will detect this behavior?
 
Thanks,
 
Robert Caplan

Current thread:

SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- <Possible follow-ups>
- RE: SNORT Rule for netbios brute force break-in Shaffer, Paul D (Feb 11)
- SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- RE: SNORT Rule for netbios brute force break-in larosa, vjay (Feb 11)
  - Base 64 encoding phorvati (Mar 04)