[Snort-sigs] Microsoft Baseline Security Analyzer - Signature yet?

Robert Wagner rwagner at ...447...
Wed Apr 10 14:56:01 EDT 2002


After further testing, this signature has a lot of false positives.  The
content listed below is a very generic netbios handshake.  I haven't been
able to identify a specific signature related to just this software and not
general netbios and kerbos traffic.  It appears most of the data is pulled
across TCP 445 after some authentication.  The same authentication packets
will occur if you just select a resource on the machine you are scanning.  I
will keep looking.

-----Original Message-----
From: Robert Wagner 
Sent: Tuesday, April 09, 2002 5:11 PM
To: Snort-Sigs (E-mail)
Subject: [Snort-sigs] Microsoft Baseline Security Analyzer - Signature
yet?


I noticed Microsoft ditched their personal security tool and replaced it
with a vulnerability analyzer.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/Tools/mbsahome.asp

Now all users can scan your entire subnet with the click of a mouse.


It appears to need a UDP connection prior to performing an analysis.  This
signature seems to work.
alert udp any 137 -> $HOME_NET 137 (msg:"Microsoft Baseline Security
Analyzer scan"; content: "|41 41 41 41 41 41 41 00 00 21 00 01|";)

This tool doesn't report anything about non-windows systems.  Let me know if
you come up with a better signature.


_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list