Snort mailing list archives
RE: SNORT Rule for netbios brute force break-in
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 12 Feb 2004 00:09:41 -0500
I put this rule together a while ago. It works very well for detecting brute force SMB share logins and network walking worms that continuously fail when attempting to log in. Adjust the threshold to your liking and go from there. The rule tracks by destination because it is based on a reply from the server to the client attempting to login. Right now the rule must trigger 10 times within 240 seconds before an event is logged. You may want to set the count to something like 5 times in 60 seconds for your environment, or whatever your login lockouts are set to. Good luck, hope it works ok for you. vjl alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (content:"|00 00 00 23 ff 53 4d 42 73 6d 00 00 c0|"; depth:13; flow:from_server; threshold:type threshold, track by_dst, count 10, seconds 240; msg:"NETBIOS SMB Login Failed."; classtype:unsuccessful-user; sid:1000000; rev:14; ) alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (content:"|00 00 00 23 ff 53 4d 42 73 6d 00 00 c0|"; depth:13; flow:from_server; threshold:type threshold, track by_dst, count 10, seconds 240; msg:"NETBIOS SMB Login Failed."; classtype:unsuccessful-user; sid:1000001; rev:10; ) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Robert Caplan Sent: Wednesday, February 11, 2004 9:53 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SNORT Rule for netbios brute force break-in My network administrators are constantly flooded with requests to reset Windows accounts which have been locked out because of brute force/dictionary breakin accounts on the netbios port. Intrudors are able to enumerate the usernames and by brute force attempt to gain access. Does anyone know of a Snort rule which will detect this behavior? Thanks, Robert Caplan
Current thread:
- SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- <Possible follow-ups>
- RE: SNORT Rule for netbios brute force break-in Shaffer, Paul D (Feb 11)
- SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- RE: SNORT Rule for netbios brute force break-in larosa, vjay (Feb 11)
- Base 64 encoding phorvati (Mar 04)