Smb Analysis Configuration - Enterasys Intrusion Prevention System Manual

SMB Analysis Configuration

SMB analysis looks at the Server Message Block protocol (SMB) packets.
You can choose to log SMB activity by NETBIOS session and login attempts. The Network Sensor
can watch for certain types of NETBIOS traffic. This setting is useful for watching failed Windows
file share mounting. These mounting failures may be the result of a probe, insufficient NT security
resources, or legitimate users mis-typing their NT domain password.
You can also look for a variety of Windows NT logon events. This works only for Windows NT,
not Windows 2000 or XP. The intent is to focus on NT access that is crossing your protected
network boundaries. On internal networks, it is reasonable to have remote Administrator and null
user access. However, this sort of activity usually does not occur across network perimeters.
Null user NT activity is particularly suspicious as it is a common attack vector into NT servers.
Usually, analyzing your local network traffic and running the Network Sensor for a few days
quickly identifies normal null user NT activity. Filtering allows this normal traffic to occur with
any alerts. However, when remote users attempt to connect into an NT server via the Null user,
these alerts become apparent. If an IP address is not a known good guy, an event could be
considered a probe. If the NT administrator account is renamed (this is normal security practice),
remote probes for the NT administrator stand out even more.
Procedure
To configure SMB Analysis settings:
1. Click the Network Policy View icon and the Network Policies tab.
2. Expand the tree by clicking the expansion symbols and select the desired custom policy name.
The modules for that policy are displayed in the tree.
3. Click the Protocol Analysis Module in the tree.
4. Expand SMB Analysis in the Protocol column.
Configuring the Protocol Analysis Module
Creating Network Sensor Policies and Signatures 2-81