[Snort-sigs] Netbios Domain Name Sig

Tim Otis tim at ...2637...
Fri Jul 16 13:38:04 EDT 2004


The format of certain NetBIOS packets can be found in RFC 1002, check out
section '4.3 SESSION SERVICE PACKETS'. Note the separate NetBIOS packet
types and their structures, it's not guaranteed that a NetBIOS
packet contains encoded names. However, some definitely do.

tim




On Fri, 16 Jul 2004, Jason Linden wrote:

> Thanks!  Does anyone know what the offset for the name in a netbios packet
> would be for this?  I would like to setup a negate rule which would say:
>
> alert udp any any -> any 137 (msg:"NB name home123";
> content:!"GIGPGNGFDBDCDD";offset:xx;depth:16;)
>
> -jason
>
> -----Original Message-----
> From: nnposter at ...592... [mailto:nnposter at ...592...]
>
> Sent: Friday, July 16, 2004 1:20 PM
> To: jlinden at ...2632...
> Subject: RE: [Snort-sigs] Netbios Domain Name Sig
>
> From: "Jason Linden" <jlinden at ...2632...>
> > Thanks! How did you come up with the "GIGPGNGFDBDCDD"?
>
> RFC 1001
>
> > -----Original Message-----
> > From: snort-sigs-admin at lists.sourceforge.net
> > [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
> > nnposter at ...592...
> > Sent: Thursday, July 15, 2004 6:11 PM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: Re: [Snort-sigs] Netbios Domain Name Sig
> >
> > > We are having a problem with people plugging in personal computers onto
> > our
> > > network. When opening up network Neighborhood and trying to browse to
> the
> > > domain or workgroup, etc 'home123', it can't find any computers of
> course.
> > > What I would like to do is setup a snort sig that will generate alerts
> on
> > > packets from computers who broadcast their domain/workgroup name as
> > > 'home123'. I am having a hard time getting the filter to work. Anyone
> else
> > > ever setup such a sig?
> > >
> > > Thanks!
> >
> > alert udp any any -> any 137 (msg:"NB name home123";
> > content:"GIGPGNGFDBDCDD";)
> > alert udp any any -> any 137 (msg:"NB name HOME123";
> > content:"EIEPENEFDBDCDD";)
> >
> >
> > Cheers,
> > nnposter
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>






More information about the Snort-sigs mailing list