[Snort-sigs] Netbios Domain Name Sig

nnposter at ...592... nnposter at ...592...
Thu Jul 15 15:12:05 EDT 2004


> We are having a problem with people plugging in personal computers onto our
> network. When opening up network Neighborhood and trying to browse to the
> domain or workgroup, etc 'home123', it can't find any computers of course.
> What I would like to do is setup a snort sig that will generate alerts on
> packets from computers who broadcast their domain/workgroup name as
> 'home123'. I am having a hard time getting the filter to work. Anyone else
> ever setup such a sig?
>  
> Thanks!

alert udp any any -> any 137 (msg:"NB name home123"; content:"GIGPGNGFDBDCDD";)
alert udp any any -> any 137 (msg:"NB name HOME123"; content:"EIEPENEFDBDCDD";)


Cheers,
nnposter




More information about the Snort-sigs mailing list