[Snort-sigs] Netbios Domain Name Sig

Joseph Gama josephgama at ...144...
Tue Jul 20 18:26:59 EDT 2004


Jason,

I think it's better to detect not a particulat
unwanted name but all except the ones used in the
network. That is what I did with the "Rules to detect
netbios unauthorized access".

Peace,

Joseph

--- Jason Linden <jlinden at ...2632...> wrote:
> Thanks!  Does anyone know what the offset for the
> name in a netbios packet
> would be for this?  I would like to setup a negate
> rule which would say:
> 
> alert udp any any -> any 137 (msg:"NB name home123";
> content:!"GIGPGNGFDBDCDD";offset:xx;depth:16;)
> 
> -jason
> 
> -----Original Message-----
> From: nnposter at ...592...
> [mailto:nnposter at ...592...]
> 
> Sent: Friday, July 16, 2004 1:20 PM
> To: jlinden at ...2632...
> Subject: RE: [Snort-sigs] Netbios Domain Name Sig
> 
> From: "Jason Linden" <jlinden at ...2632...>
> > Thanks! How did you come up with the
> "GIGPGNGFDBDCDD"?
> 
> RFC 1001
> 
> > -----Original Message-----
> > From: snort-sigs-admin at lists.sourceforge.net
> > [mailto:snort-sigs-admin at lists.sourceforge.net] On
> Behalf Of
> > nnposter at ...592...
> > Sent: Thursday, July 15, 2004 6:11 PM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: Re: [Snort-sigs] Netbios Domain Name Sig
> > 
> > > We are having a problem with people plugging in
> personal computers onto
> > our
> > > network. When opening up network Neighborhood
> and trying to browse to
> the
> > > domain or workgroup, etc 'home123', it can't
> find any computers of
> course.
> > > What I would like to do is setup a snort sig
> that will generate alerts
> on
> > > packets from computers who broadcast their
> domain/workgroup name as
> > > 'home123'. I am having a hard time getting the
> filter to work. Anyone
> else
> > > ever setup such a sig?
> > >  
> > > Thanks!
> > 
> > alert udp any any -> any 137 (msg:"NB name
> home123";
> > content:"GIGPGNGFDBDCDD";)
> > alert udp any any -> any 137 (msg:"NB name
> HOME123";
> > content:"EIEPENEFDBDCDD";)
> > 
> > 
> > Cheers,
> > nnposter
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic
> Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1
> today.
>
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list