Yes, it would be better for SMB_Empty_Password to be triggered only on
successful logins without a password.
I think that the best thing will be if new sighature, for example,
Empty_Password_Success_Login will be created, and SMB_Empty_Password will
be left as it is, - may be failed attempts to login without password are
interesting for someone else...
Recently I have found another signature that is triggered without any
reasons - SMB_Cliet_Cleartext_Password. On workstation that is source of
such event sending password in clear text is not allowed. In Event Details
:PASSWORD attribute value is binary and not readable.... I think it is
false positive, but how can I adjust it?? I don't want to turn it off!
Thank you.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.
tel/fax +7 095 745 89 50 (2663)
"Palmer, Paul
(ISSAtlanta)" To: "Sergey V Soldatov" <[EMAIL
PROTECTED]>,
<[EMAIL PROTECTED]> "[EMAIL PROTECTED]" <[EMAIL
PROTECTED]>
Sent by: cc:
[EMAIL PROTECTED] Subject: RE: [ISSForum] SMB_Empty_Password
24.12.2003 17:51
Sergey,
SMB_Empty_Password is not currently tunable in the way you need.
The signature does not trigger on null session requests, but it does
trigger on other attempts to log in without a password. From your
description it sounds like we could improve the signature if we changed it
to only report successful logins without a password. That should prevent
the signature from reporting failed attempts to login to Guest, but it
would still report successful logins to Guest if that account does not have
a password.
If this change is of interest to you, please contact ISS Technical Support
so that we can get a case opened to track the request. If you reference
this e-mail message, it may speed things along.
Also, if you find any examples in your network where this signature
triggers on a null session request, that would be a bug that we would
really like to resolve. A packet capture would be very useful in that case.
Paul
-----Original Message-----
From: [EMAIL PROTECTED] On Behalf Of Sergey V Soldatov
Sent: Tuesday, December 23, 2003 10:34 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] SMB_Empty_Password
Hi All!
Does anyone know how to adjust this signature?
I have a VERY great number of such events per day and I think that all of
that events are not serious, because almost every workstation in the LAN
generate at least one SMB_Empty_Password event.
I don't want to switch off that signature, because it has high severity,
but how can I adjust it?
I've found that such signature generates when user not in NT domain is
trying to access network share, or to use network printer. But it is not
serious violation, because after trying to connect as Guest, user will be
prompted to specify domain, login and password, and if user will specify
wrong credentials - access will be denied!
Also, scanning through NULL-session (connection to IPC$ share) is permitted
in Windows (NT, 2K) by default, and to deny this it is needed special
configuration in registry... - it is not serious violation too!
How can I adjust SMB_Empty_Password to ignore such a situations?
Thans a lot.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
