OT: Can SMB filenames be well defined for IDS systems?
Jason Haar
Jason.Haar at trimble.co.nz
Thu May 29 18:18:26 GMT 2003
Esh, Andrew wrote:
> Your method of packet sniffing for virus activity is a good idea. Please
> share your results with us. Perhaps someone would be interested in
> developing a VFS module that does the same thing.
To be honest, Snort is only one of the weapons we use. The best way I've
found of finding trojans on the WAN in via honeypots. Our IDS systems
also run Samba, exporting a "C" share containing a partial install of
WinNT, that is world writable with "guest ok". Every five minutes a
cronjob does a diff comparing that share against a reference copy, and
if any differences are found, sends out an alert saying which user on
which NetBIOS machine on which IP address is responsible for changing
the files (log level = 9 is great!). After sending the email, it resets
the directory to await the next intrusion ;-)
It's perfect: it doesn't rely on a "virus scanner" - so there are no
False Positives, and it only catches either Trojans or people changing
files on a box they don't own - either way it's worth jumping up and
down about.
Jason
More information about the samba-technical
mailing list