[Snort-sigs] Netbios Domain Name Sig

Jason Linden jlinden at ...2632...
Fri Jul 16 12:56:04 EDT 2004


Thanks!  Does anyone know what the offset for the name in a netbios packet
would be for this?  I would like to setup a negate rule which would say:

alert udp any any -> any 137 (msg:"NB name home123";
content:!"GIGPGNGFDBDCDD";offset:xx;depth:16;)

-jason

-----Original Message-----
From: nnposter at ...592... [mailto:nnposter at ...592...]

Sent: Friday, July 16, 2004 1:20 PM
To: jlinden at ...2632...
Subject: RE: [Snort-sigs] Netbios Domain Name Sig

From: "Jason Linden" <jlinden at ...2632...>
> Thanks! How did you come up with the "GIGPGNGFDBDCDD"?

RFC 1001

> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
> nnposter at ...592...
> Sent: Thursday, July 15, 2004 6:11 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Netbios Domain Name Sig
> 
> > We are having a problem with people plugging in personal computers onto
> our
> > network. When opening up network Neighborhood and trying to browse to
the
> > domain or workgroup, etc 'home123', it can't find any computers of
course.
> > What I would like to do is setup a snort sig that will generate alerts
on
> > packets from computers who broadcast their domain/workgroup name as
> > 'home123'. I am having a hard time getting the filter to work. Anyone
else
> > ever setup such a sig?
> >  
> > Thanks!
> 
> alert udp any any -> any 137 (msg:"NB name home123";
> content:"GIGPGNGFDBDCDD";)
> alert udp any any -> any 137 (msg:"NB name HOME123";
> content:"EIEPENEFDBDCDD";)
> 
> 
> Cheers,
> nnposter






More information about the Snort-sigs mailing list