Snort mailing list archives
Re: Windows Logon Failures
From: kimhick () cfl rr com
Date: Wed, 26 Jan 2005 14:11:06 -0500
Thanks to everyone who gave advice. If nothing else I am learning a lot. I set the new rules but I am not getting any alarms but my event view is getting pounded by more failed logon attempts. This time by a device call \\ENDO. My snort is working I am getting other netbios alarms from another rule set: [**] [1:530:3] NETBIOS NT NULL session [**] [Classification: Attempted Information Leak] [Priority: 2] 01/26-12:22:32.905683 192.168.38.45:1382 -> 172.30.10.12:139 TCP TTL:123 TOS:0x0 ID:35000 IpLen:20 DgmLen:216 DF ***AP*** Seq: 0x37BEFB5 Ack: 0xC460D626 Win: 0x21D1 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS204][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347][Xref => http://www.securityfocus.com/bid/1163] [**] [1:538:1] NETBIOS SMB IPC$access [**] [Classification: Attempted Information Leak] [Priority: 2] 01/26-12:22:32.905683 192.168.38.45:1382 -> 172.30.10.12:139 TCP TTL:123 TOS:0x0 ID:35000 IpLen:20 DgmLen:216 DF ***AP*** Seq: 0x37BEFB5 Ack: 0xC460D626 Win: 0x21D1 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS334] These I think are from old Windows NT servers trying to establish a null or anonymous connection. I think that is normal. Is there any other rules out there or is it possible to right a new rule that can catch this event so I can find a source IP address? Here is the latest event: Event Type: Audit Failure Event Source: Security Event Category: Account Logon Event ID: 680 Date: 1/26/2005 Time: 7:22:29 AM User: SYSTEM Computer: COM1 Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: uucp Source Workstation: \\ENDO Error Code: 0xC0000064 Thanks, Brian ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Windows Logon Failures kimhick (Jan 25)
- <Possible follow-ups>
- RE: Windows Logon Failures Bristol, Gary L. (Jan 25)
- Windows Logon Failures Brian Kimsey-Hickman (Jan 26)
- Re: Windows Logon Failures Nerijus Krukauskas (Jan 26)
- Re: Windows Logon Failures kimhick (Jan 26)