<div dir="ltr"><div>I guess using the suggestion on corelight site could help built a script based on the port used in llmnr</div><div><br></div><div>
<p><b>Attackers with the ability to
poison or intercept DNS queries can strengthen their foothold into a
targeted network by inserting or overwriting records for sensitive
hosts. For example, if an attacker can generate a response for "wpad,"
they can redirect users' web traffic through a man-in-the-middle of
their choosing.
LLMNR may be disabled in an enterprise network, in which case any LLMNR
(UDP 5355) traffic would be immediately actionable based on events
within Zeek's conn.log file.</b></p><p><b><br></b></p><p>Kind regards,</p><p>Alex Kefallonitis<br></p><p><b></b></p>
</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Στις Δευ, 10 Φεβ 2020 στις 6:17 μ.μ., ο/η Alex Kefallonitis <<a href="mailto:al.kefallonitis@gmail.com">al.kefallonitis@gmail.com</a>> έγραψε:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi All,</div><div><br></div><div> Any script that can log LLMNR/NBT-NS Poisoning and Relay Attacks ?</div><div><br></div><div>Thanks in advanced.</div><div><br></div><div>Kind Regards,</div><div>Alex Kefallonitis<br></div></div>
</blockquote></div>