OT: Can SMB filenames be well defined for IDS systems?

Jason Haar Jason.Haar at trimble.co.nz
Thu May 29 18:18:26 GMT 2003

Esh, Andrew wrote:
> Your method of packet sniffing for virus activity is a good idea. Please
> share your results with us. Perhaps someone would be interested in
> developing a VFS module that does the same thing.

To be honest, Snort is only one of the weapons we use. The best way I've 
found of finding trojans on the WAN in via honeypots. Our IDS systems 
also run Samba, exporting a "C" share containing a partial install of 
WinNT, that is world writable with "guest ok". Every five minutes a 
cronjob does a diff  comparing that share against a reference copy, and 
if any differences are found, sends out an alert saying which user on 
which NetBIOS machine on which IP address is responsible for changing 
the files (log level = 9 is great!). After sending the email, it resets 
the directory to await the next intrusion ;-)

It's perfect: it doesn't rely on a "virus scanner" - so there are no 
False Positives, and it only catches either Trojans or people changing 
files on a box they don't own - either way it's worth jumping up and 
down about.


More information about the samba-technical mailing list