[Snort-sigs] Microsoft Baseline Security Analyzer - Signature yet?

Robert Wagner rwagner at ...447...
Tue Apr 9 15:12:08 EDT 2002

I noticed Microsoft ditched their personal security tool and replaced it
with a vulnerability analyzer.

Now all users can scan your entire subnet with the click of a mouse.

It appears to need a UDP connection prior to performing an analysis.  This
signature seems to work.
alert udp any 137 -> $HOME_NET 137 (msg:"Microsoft Baseline Security
Analyzer scan"; content: "|41 41 41 41 41 41 41 00 00 21 00 01|";)

This tool doesn't report anything about non-windows systems.  Let me know if
you come up with a better signature.

More information about the Snort-sigs mailing list