[Snort-sigs] Microsoft Baseline Security Analyzer - Signature yet?
rwagner at ...447...
Tue Apr 9 15:12:08 EDT 2002
I noticed Microsoft ditched their personal security tool and replaced it
with a vulnerability analyzer.
Now all users can scan your entire subnet with the click of a mouse.
It appears to need a UDP connection prior to performing an analysis. This
signature seems to work.
alert udp any 137 -> $HOME_NET 137 (msg:"Microsoft Baseline Security
Analyzer scan"; content: "|41 41 41 41 41 41 41 00 00 21 00 01|";)
This tool doesn't report anything about non-windows systems. Let me know if
you come up with a better signature.
More information about the Snort-sigs