Sergey, SMB_Empty_Password is not currently tunable in the way you need.
The signature does not trigger on null session requests, but it does trigger on other attempts to log in without a password. From your description it sounds like we could improve the signature if we changed it to only report successful logins without a password. That should prevent the signature from reporting failed attempts to login to Guest, but it would still report successful logins to Guest if that account does not have a password. If this change is of interest to you, please contact ISS Technical Support so that we can get a case opened to track the request. If you reference this e-mail message, it may speed things along. Also, if you find any examples in your network where this signature triggers on a null session request, that would be a bug that we would really like to resolve. A packet capture would be very useful in that case. Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Sergey V Soldatov Sent: Tuesday, December 23, 2003 10:34 AM To: [EMAIL PROTECTED] Subject: [ISSForum] SMB_Empty_Password Hi All! Does anyone know how to adjust this signature? I have a VERY great number of such events per day and I think that all of that events are not serious, because almost every workstation in the LAN generate at least one SMB_Empty_Password event. I don't want to switch off that signature, because it has high severity, but how can I adjust it? I've found that such signature generates when user not in NT domain is trying to access network share, or to use network printer. But it is not serious violation, because after trying to connect as Guest, user will be prompted to specify domain, login and password, and if user will specify wrong credentials - access will be denied! Also, scanning through NULL-session (connection to IPC$ share) is permitted in Windows (NT, 2K) by default, and to deny this it is needed special configuration in registry... - it is not serious violation too! How can I adjust SMB_Empty_Password to ignore such a situations? Thans a lot. --- Best regards, Sergey V. Soldatov Department of information security, TNK-BP. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
