I might have found the answer for Snort but not LEM.
Identify Null Sessions with IDS
If the registry changes or firewall rules mentioned earlier break the functionality of network applications, then you must switch to a reactive approach rather than a proactive one. Rather than preventing enumeration through null sessions the best we can hope to do is catch it when it happens and react to it as we would a normal network security incident.
If you are using Snort, the most popular IDS in production today, then the following rule will detect null session enumeration (taken from the Intrusion Detection with Snort, by Jack Koziol):
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:”NETBIOS NT NULL session”; flow:to_server.establshed;
content: ‘|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|’; classtype:attempted-recon;)
This would not prevent null session connections from occurring, but it will alert you when they do so you can react appropriately.