[Snort-sigs] Microsoft Baseline Security Analyzer - Signature yet?

Robert Wagner rwagner at ...447...
Tue Apr 9 15:12:08 EDT 2002


I noticed Microsoft ditched their personal security tool and replaced it
with a vulnerability analyzer.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/Tools/mbsahome.asp

Now all users can scan your entire subnet with the click of a mouse.


It appears to need a UDP connection prior to performing an analysis.  This
signature seems to work.
alert udp any 137 -> $HOME_NET 137 (msg:"Microsoft Baseline Security
Analyzer scan"; content: "|41 41 41 41 41 41 41 00 00 21 00 01|";)

This tool doesn't report anything about non-windows systems.  Let me know if
you come up with a better signature.





More information about the Snort-sigs mailing list