Same source and destination IP Expand / Collapse
Author
Message
Posted 10/9/2009 7:39:30 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/9/2009 7:29:53 AM
Posts: 1, Visits: 0
Hi Randy,

First of all, congratulations for your web site; it is excellent from the technical and marketing point of view.

We work with Arcsight wich is a SEM and the connector that obtains the logs from the DC (W2K3) gives us events 680 with the same source and destination IP, that is, the IP address of the Domain Controller.

This generates a lot of noise in a system with too much NTLM authentication because Arcsight correlates "Brute Force Attacks" based on source and IP address (must be the same for the different events).

Why authentication events (680) would have the source IP address of the Domain Controller itself?

This is something that I am not able to find out.

Thanks you very much in advance.

Kind Regards,

P.D. I have seen your webinar of Authentication vs Logon: really interesting.

Post #228
Posted 10/9/2009 8:06:58 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
That's interesting.  It's not unusual to see authentication events where the client is the same as the DC but they would normally be Kerberos (event IDs beginning with 672) instead of NTLM (events 680 and 681).

Do you have "audit logon events" enabled? (not to be confused with "Audit account logon events")

If so you should be getting event ID 528 or 540.  Can you post some santized examples of your 680, 528, 540s?  Pay attention to the Logon Type in 528/540.

Post #230
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:00pm