Quantcast
Channel: THWACK: Message List - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all articles
Browse latest Browse all 5385

Re: Null Session Enumeration

$
0
0

I might have found the answer for Snort but not LEM.

 

From The Anatomy of a Attack

 

Identify Null Sessions with IDS

If the registry changes or firewall rules mentioned earlier break the functionality of network applications, then you must switch to a reactive approach rather than a proactive one. Rather than preventing enumeration through null sessions the best we can hope to do is catch it when it happens and react to it as we would a normal network security incident.


If you are using Snort, the most popular IDS in production today, then the following rule will detect null session enumeration (taken from the Intrusion Detection with Snort, by Jack Koziol):


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:”NETBIOS NT NULL session”; flow:to_server.establshed;


content: ‘|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|’; classtype:attempted-recon;)


This would not prevent null session connections from occurring, but it will alert you when they do so you can react appropriately.


Viewing all articles
Browse latest Browse all 5385

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>