Extending an Open Source IDS to Detect Attacks Against NetBIOS

Page Content

Todd O'Boyle - MITRE

Sep 25, 2002

RealVideo

Abstract

NetBIOS and the protocols tied in closely to it are what makes file
sharing go 'round when it comes to personal computer networks.
Unfortunately, though, intrusion detection system (IDS) vendors
haven't paid much attention to these protocols when designing their
systems. In this talk we describe how the Open Source IDS Snort was
extended to be able to better detect attacks against an organization's
NetBIOS infrastructure. We first discuss some requisite knowledge of
the NetBIOS suite of protocols (NetBIOS Session Service, SMB, LANMAN,
etc.) From there we discuss the changes we made to Snort itself, along
with a few examples to describe the use of such a capability. We wrap
up with some interesting findings from the NetBIOS protocols we found
when doing our digging.

About the Speaker

Todd O\'Boyle is a Senior Information Systems Security Engineer with
the MITRE Corporation. He has a B.S. in Computer Science from Purdue
University, and has been working in information security since
completing his degree in 1999. Todd is currently on assignment to
the Defense Information Systems Agency (DISA) Regional CERT located
at Scott AFB, IL. His responsibilities currently include engineering
of a 200+ intrusion detection sensor grid that monitors key networks
for the military worldwide. He also has experience performing
vulnerability assessments, designing hardened networks, and analyzing
system compromises.

Footer

Intranet Site