CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Extending an Open Source IDS to Detect Attacks Against NetBIOS

Todd O'Boyle - MITRE

Sep 25, 2002


NetBIOS and the protocols tied in closely to it are what makes file
sharing go 'round when it comes to personal computer networks.
Unfortunately, though, intrusion detection system (IDS) vendors
haven't paid much attention to these protocols when designing their
systems. In this talk we describe how the Open Source IDS Snort was
extended to be able to better detect attacks against an organization's
NetBIOS infrastructure. We first discuss some requisite knowledge of
the NetBIOS suite of protocols (NetBIOS Session Service, SMB, LANMAN,
etc.) From there we discuss the changes we made to Snort itself, along
with a few examples to describe the use of such a capability. We wrap
up with some interesting findings from the NetBIOS protocols we found
when doing our digging.

About the Speaker

Todd O\'Boyle is a Senior Information Systems Security Engineer with
the MITRE Corporation. He has a B.S. in Computer Science from Purdue
University, and has been working in information security since
completing his degree in 1999. Todd is currently on assignment to
the Defense Information Systems Agency (DISA) Regional CERT located
at Scott AFB, IL. His responsibilities currently include engineering
of a 200+ intrusion detection sensor grid that monitors key networks
for the military worldwide. He also has experience performing
vulnerability assessments, designing hardened networks, and analyzing
system compromises.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.