We recently discover that sometimes, ramdonly, host called "Windows7" trays to mount a shared folder from our fileserver/DC. We discover this because our SIEM correlated some events from de DCserver. Sadly this SIEM do not show us the Source IP Address so, we add a PAN in SPAM port mode to the switch to tray to capture the ms-smb fail logons.
We started by adding the default custome signature and setting up to triggers with 5 events in 120 seconds (just like the SIEM's alert) but that do not work. Now we are traying to make a custome signatere that triggers when any package with the string "jbonaldo" goes through the PAN (jbonaldo is the host name).
I already read the "creating customg signature rev b" and I can not find any reference to SMB2 for the context field, so i try to use the "unknown-req-tcp-payload". I also tray setting up the string in clear text and/or hexadecimal.
BTW, I already create a vulnerability profile and append that to the security rule (just to be clear 🙂 )
what i am doing wrong?
... View more