SMB Enumeration Detection, Port Scans etc... Could do more HIPSy things!

Love this firewall - Would be great if Glasswire could detect (among a list of many sh*tty things) incoming SMB enumeration and RDP attack attempts and block the offending IP address? Was on a public hotel network (yeah we know… I was forced, based on limited connectivity) a few months ago and almost got pwned by either some jackass running SMB enums or someone’s computer that was hijacked with malware. Great also if we could have attacker thumbprint and fingerprint detection, and some ARP poison detection as well. As far as I can tell, it’s not built in and I cannot see where I’d enable it or customize it. I can run Snort, but it won’t BLOCK an attacker. I’d double my license fee if you can do this; Most others would as well. There isn’t a solution out there that doesn’t cost enterprise-level $$$$. Please consider! THANKS!!! What else would you guys & girls love to see added to Glasswire in this (HIPS) realm?

@NoMoreFudgicles

Thanks for your feedback. We agree!

We do have a successful RDP connection monitor (but not failed attempts yet), Evil Twin Attack Detection, ARP spoofing, and some other things. Go to the top left GlassWire menu and choose settings/security to see, and our list of alerts are also here https://www.glasswire.com/dictionary/.

How do you detect SMB enumeration with Windows?

My GlassWire installations are on paranoid mode, i’ve enabled ALL of those options, and somehow missed reading the ARP poison detect (although it was still enabled) lol.

As far as SMB enums, they’re likely only through the log entries; Many enterprise IPS appliances/agents will alert on this and null session pipes. If you search SMB enumeration, there are a bunch of resources that show what the log entries look like, or set up a windows box and try it. Bunch of pentesting tools that can do this easily.

1 Like

@NoMoreFudgicles

We will check it out, thank you. Also, if you have other ideas for similar detections we could look for in the future please post them.

We have thought about just reading the Windows Events Logs so other apps could drop alerts there we could read too but we worry it could become annoying with too many alerts.

I sure will. Thanks for the reply! There are patterns which should be able to be picked up from monitoring the logs, and then potentially block the subsequent enum requests to the OS. I’ll send more info as I collect it.

1 Like