[Snort-sigs] Netbios Domain Name Sig

Ron Jackson ronald_jackson at ...2635...
Tue Jul 20 05:55:19 EDT 2004


Now that is a cool idea that would help us immensely also.  I've caught a few unauthorized machines on our network, but it was dumb luck because they set off a signature that made me curious.  I'd look up the IP to investigate, and notice it didn't have our standard build.

I'm not good at all at writing signature, but would LOVE to have one that alerted on the the Netbios broadcast for machines NOT having a particular Domain, and or workgroup name.  I only have a few Domains, and or workgroups that should be on my network.

Any ideas?

-- 
Ron Jackson
IS Security Specialist
Lifenet
x4667

On Thursday, July 15, 2004 6:10 PM, nnposter at ...592... wrote:
>> We are having a problem with people plugging in personal computers onto our
>> network. When opening up network Neighborhood and trying to browse to the
>> domain or workgroup, etc 'home123', it can't find any computers of course.
>> What I would like to do is setup a snort sig that will generate alerts on
>> packets from computers who broadcast their domain/workgroup name as
>> 'home123'. I am having a hard time getting the filter to work. Anyone else
>> ever setup such a sig?
>>  
>> Thanks!
>
>alert udp any any -> any 137 (msg:"NB name home123"; content:"GIGPGNGFDBDCDD";)
>alert udp any any -> any 137 (msg:"NB name HOME123";
>content:"EIEPENEFDBDCDD";)
>
>
>Cheers,
>nnposter
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>






More information about the Snort-sigs mailing list