Snort mailing list archives

Re: Detecting administrative share access

From: Tewodros Ambasa via Snort-users <snort-users () lists snort org>
Date: Mon, 28 Jan 2019 20:25:48 +0200

I am monitoring administrative share access that occurs on port 445, I am
not monitoring other ports like TFTP.

The initial rule was submitted erroneously. The corrected rule, which still
does not get triggered when administrative shares are accessed, is below:

alert tcp any any -> $HOME_NET 445 (msg:"Admin share access";
pcre:"/(\\ADMIN\$)|(\\C\$)/i"; sid:1000200; rev:001;
classtype:misc-activity;)

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: Detecting administrative share access Tewodros Ambasa via Snort-users (Jan 27)
- Re: Detecting administrative share access Al Lewis (allewi) via Snort-users (Jan 27)
- Re: Detecting administrative share access Dorian ROSSE via Snort-users (Jan 27)
- <Possible follow-ups>
- Re: Detecting administrative share access Tewodros Ambasa via Snort-users (Jan 28)