Snort mailing list archives

Re: Windows Logon Failures

From: kimhick () cfl rr com
Date: Wed, 26 Jan 2005 14:11:06 -0500

Thanks to everyone who gave advice.  If nothing else I am learning a lot.  I set the new rules but I am not getting any 
alarms but my event view is getting pounded by more failed logon attempts.  This time by a device call \\ENDO.

My snort is working I am getting other netbios alarms from another rule set:

[**] [1:530:3] NETBIOS NT NULL session [**]
[Classification: Attempted Information Leak] [Priority: 2] 
01/26-12:22:32.905683 192.168.38.45:1382 -> 172.30.10.12:139
TCP TTL:123 TOS:0x0 ID:35000 IpLen:20 DgmLen:216 DF
***AP*** Seq: 0x37BEFB5  Ack: 0xC460D626  Win: 0x21D1  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS204][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347][Xref => http://www.securityfocus.com/bid/1163]

[**] [1:538:1] NETBIOS SMB IPC$access [**]
[Classification: Attempted Information Leak] [Priority: 2] 
01/26-12:22:32.905683 192.168.38.45:1382 -> 172.30.10.12:139
TCP TTL:123 TOS:0x0 ID:35000 IpLen:20 DgmLen:216 DF
***AP*** Seq: 0x37BEFB5  Ack: 0xC460D626  Win: 0x21D1  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS334]

These I think are from old Windows NT servers trying to establish a null or anonymous connection.  I think that is 
normal.

Is there any other rules out there or is it possible to right a new rule that can catch this event so I can find a 
source IP address?

Here is the latest event:

Event Type:     Audit Failure
Event Source:   Security
Event Category: Account Logon
Event ID:       680
Date:           1/26/2005
Time:           7:22:29 AM
User:           SYSTEM
Computer:       COM1
Description:
Logon attempt by:       MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account: uucp
 Source Workstation:    \\ENDO
 Error Code:    0xC0000064


Thanks,

Brian



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Windows Logon Failures kimhick (Jan 25)
- <Possible follow-ups>
- RE: Windows Logon Failures Bristol, Gary L. (Jan 25)
- Windows Logon Failures Brian Kimsey-Hickman (Jan 26)
  - Re: Windows Logon Failures Nerijus Krukauskas (Jan 26)
- Re: Windows Logon Failures kimhick (Jan 26)