RE: SNORT Rule for netbios brute force break-in

["larosa, vjay" <larosa_vjay () emc com>]

I put this rule together a while ago. It works very well for detecting brute
force SMB share logins and network walking worms that continuously fail when
attempting to log in. Adjust the threshold to your liking and go from there.
The rule tracks by destination because it is based on a reply from the
server to the client attempting to login. Right now the rule must trigger 10
times within 240 seconds before an event is logged. You may want to set the
count to something like 5 times in 60 seconds for your environment, or
whatever your login lockouts are set to. Good luck, hope it works ok for
you.

 

vjl

 

 

alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (content:"|00 00 00 23 ff 53 4d
42 73 6d 00 00 c0|"; depth:13; flow:from_server; threshold:type threshold,
track by_dst, count 10, seconds 240; msg:"NETBIOS SMB Login Failed.";
classtype:unsuccessful-user; sid:1000000; rev:14; )

 

alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (content:"|00 00 00 23 ff 53 4d
42 73 6d 00 00 c0|"; depth:13; flow:from_server; threshold:type threshold,
track by_dst, count 10, seconds 240; msg:"NETBIOS SMB Login Failed.";
classtype:unsuccessful-user; sid:1000001; rev:10; )

 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Robert Caplan
Sent: Wednesday, February 11, 2004 9:53 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SNORT Rule for netbios brute force break-in

 

My network administrators are constantly flooded with requests to reset
Windows accounts which have been locked out because of brute
force/dictionary breakin accounts on the netbios port.  Intrudors are able
to enumerate the usernames and by brute force attempt to gain access.  Does
anyone know of a Snort rule which will detect this behavior?

 

Thanks,

 

Robert Caplan