SMB Authorization Failure

jarhead354 · ‎03-21-2007

I'm seeing lots of SMB Authorization Failure events being reported to MARS from IPS signature 5606/0. I strongly suspect that these events are false but I don't know a lot about SMB. The Event Type Details in MARS states "This signature detects when three or more consecutive failed Windows NT (or Samba) user authentication within a single SMB session..." However, the Event Count parameter of 5606/0 is set to the default of 1. Should this be bumped up to 3 or am I smoking dope? Should I be looking at other areas of the signature definition?

Any help would be appreciated.

-Frank

scothrel · ‎03-21-2007

Frank,

The documenation wasn't updated when we updated the SMB engine, so its not working on the "three strikes" principal. The current functionality is to alarm on the first instance and then go into summary mode. You can have it alarm after 3 instances by bumping the event count to 3. You can cut down some of the noise by adjusting that value.

Additionally, the event tracking key is currently AaBb, which means that it will track the events on a full Quad (Src IP/port & Dst IP/port). In this case the Dst IP/port are always the same (your server), so if an attacker uses a tool that uses the same port over and over, you'll only get the one alarm then summaries later. If its parallel in its operation and uses multiple ports, you'll get an alarm per SrcIP/port. Generally I'd keep the summarization key in step with the event key for this signature. I'm not suggesting that it needs to change or anything, just letting you know what it does.

Generally this alarm will fire every time someone fat fingers their window's password or attempts to access a protected share that they don't have permissions on. I will recommend this signature to the signature team for a review of its settings in a future update.