[Snort-sigs] Beta rule: NBTSTAT -a Scan Reply?
ichinin at ...561...
Mon Apr 29 13:03:14 EDT 2002
I've been missing a rule that find response to a "NBTStat -A"
query so here is my suggestion:
alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"NBTStat -a Scan
(response)"; content:" CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; nocase;
It will miss responses from systems that does not provide a browselist
(Default: Win ME/98/95) but responses from more critical systems
(servers) should logged.
It is also my guess that quite a few security scanners will trigger this
Can anyone please validate this rule? i haven't seen any other traffic
(during experiments) that could trigger a false positive.
"You can't beat the system, but you can edit the registry."
More information about the Snort-sigs