NetBIOS - Analysis

All, not a BigFix question directly.
Looking to anaylise which (legacy) applications still require NetBIOS with a view to disabling it on our Win10 desktops. Anyone conducted this before using a task. Maybe netstat is option looking for ESTABLISHED connections on port 137/8/9 ?

nearly there … as a test i’m filtering on port 80.
how would i just return the foreign IP

q: (lines whose (it as lowercase contains “tcp” as lowercase AND (it contains ":80 ") AND it as lowercase contains “established” as lowercase) of file “netstat.log” of parent folder of regapp “besclient.exe”)
A: TCP 45.69.195.33:58348 45.66.64.190:80 ESTABLISHED
T: 4.186 ms
I: plural file line

q: preceding text of first ":80 " of following text of first “:” of (lines whose (it as lowercase contains “tcp” as lowercase AND (it contains ":80 ") AND it as lowercase contains “established” as lowercase) of file “netstat.log” of parent folder of regapp “besclient.exe”)
A: 58348 45.66.64.190
T: 4.645 ms
I: singular substring

need to filter off 58348

anyone, thanks!

ok, is there a more elegant way to identifty the whitespace ?

q: preceding texts of firsts ":80 " of following text of first “INSERT 5 SPACES” of (lines whose (it as lowercase contains “tcp” as lowercase AND (it contains ":80 ") AND it as lowercase contains “established” as lowercase) of file “netstat.log” of parent folder of regapp “besclient.exe”)
A: 45.66.64.190
T: 4.558 ms
I: singular substring

BigFix has network inspectors that you could use:

https://support.bigfix.com/inspectors/Networking%20Objects_Any.html

Here is an example:

(( (IF(Exists tcp of it)THEN ("TCP") ELSE ("UDP"))of it,local addresses of it,local ports of it,(if (exists remote address of it) then (remote address of it as string & ":" & remote port of it as string) else ("*:*")), tcp states whose( it as string = "LISTENING")of it, pathname of image file of process of it | "System" ) of sockets of network) as string

Adding a filter by port number:

(( (IF(Exists tcp of it)THEN ("TCP") ELSE ("UDP"))of it,local addresses of it,local ports of it,(if (exists remote address of it) then (remote address of it as string & ":" & remote port of it as string) else ("*:*")), tcp states whose( it as string = "LISTENING")of it, pathname of image file of process of it | "System" ) of sockets whose(local port of it as string is "58348") of network) as string

1 Like

Thanks for this -

((remote address of it as string) of sockets whose ((remote port of it as string is “137” of it OR remote port of it as string is “138” of it OR remote port of it as string is “139” of it) AND exists tcp states whose (it as string = “ESTABLISHED”) of it) of network) of network as string

1 Like

Just to drop a note on how I typically tackle this kind of question.

The result here is pretty strictly limited to NetBIOS but with a little creativity we can make something that works no matter what your problem is and will allow you to deal with these issues more dynamically.

Pulling the Information

Essentially, I prefer to use analyses like this: https://bigfix.me/analysis/details/2998462

Instead of pulling just sockets related to NetBIOS lets pull all of the sockets established and listening on a system.

Using the Information

From there I would go into Web Reports and create a filter that uses the established sockets property and filters out everything that doesn’t have a port of 137, 138, or 139 and isn’t TCP.

Advantages

The advantage to pulling all the sockets and using web reports to pull just the info you want is that it’s highly dynamic and the data is all there. If tomorrow you realize the NetBIOS also uses TCP 140 (it doesn’t) you can just adjust your web report and because the clients have already collected and reported the data, you get results immediately.

In addition if you want to pivot and make a report of devices listening on port 443 or port 80 you can just make a new web report without causing any additional client processing, creating a property or an analysis.

In other words, use Analyses to pull as much info as is useful and then use web reports to filter it into something actionable!

2 Likes