[Snort-sigs] Netbios Domain Name Sig
jlinden at ...2632...
Fri Jul 16 12:56:04 EDT 2004
Thanks! Does anyone know what the offset for the name in a netbios packet
would be for this? I would like to setup a negate rule which would say:
alert udp any any -> any 137 (msg:"NB name home123";
From: nnposter at ...592... [mailto:nnposter at ...592...]
Sent: Friday, July 16, 2004 1:20 PM
To: jlinden at ...2632...
Subject: RE: [Snort-sigs] Netbios Domain Name Sig
From: "Jason Linden" <jlinden at ...2632...>
> Thanks! How did you come up with the "GIGPGNGFDBDCDD"?
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
> nnposter at ...592...
> Sent: Thursday, July 15, 2004 6:11 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Netbios Domain Name Sig
> > We are having a problem with people plugging in personal computers onto
> > network. When opening up network Neighborhood and trying to browse to
> > domain or workgroup, etc 'home123', it can't find any computers of
> > What I would like to do is setup a snort sig that will generate alerts
> > packets from computers who broadcast their domain/workgroup name as
> > 'home123'. I am having a hard time getting the filter to work. Anyone
> > ever setup such a sig?
> > Thanks!
> alert udp any any -> any 137 (msg:"NB name home123";
> alert udp any any -> any 137 (msg:"NB name HOME123";
More information about the Snort-sigs