[Snort-sigs] Beta rule: NBTSTAT -a Scan Reply?

Glenn Larsson ichinin at ...561...
Mon Apr 29 13:03:14 EDT 2002

Hi there.

I've been missing a rule that find response to a "NBTStat -A"
query so here is my suggestion:

alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"NBTStat -a Scan
(response)"; content:" CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; nocase;

It will miss responses from systems that does not provide a browselist
(Default: Win ME/98/95) but responses from more critical systems
(servers) should logged.

It is also my guess that quite a few security scanners will trigger this

Can anyone please validate this rule? i haven't seen any other traffic
(during experiments) that could trigger a false positive.


"You can't beat the system, but you can edit the registry."

More information about the Snort-sigs mailing list