This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rodrigo_Silva
Contributor
‎2026-03-03 06:27 AM
Jump to solution

Detect and prevent NTLM traffic

Hi everyone,

Is there a way to monitor all NTLM authentication traffic going through my network?

I couldn’t find a way to identify it using HTTPS Inspection.

I need to detect and later enforce a full block on all NTLM authentication traffic.

Has anyone done this before?

Labels
0 Kudos
1 Solution

Accepted Solutions
Rodrigo_Silva
Contributor
‎2026-03-06 07:45 AM
In response to Vincent_Bacher
Jump to solution

Thank you for the tip.

I created the rule below and was able to detect and prevent NTLM traffic using the IPS blade.

alert tcp any any -> any $HTTP_PORTS (msg:"NTLM authentication over TCP"; flow:to_server,established; content:"Authorization|3a|"; nocase; http_header; content:"NTLM"; nocase; distance:0; within:64; http_header; classtype:policy-violation;)

Of course, I also had to enable HTTPS Inspection for the internal network.

Best regards

View solution in original post

0 Kudos
5 Replies
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-03-03 06:44 AM
Jump to solution

Are you using IPS? If yes maybe to compile a snort rule to detect ntlm auth over https would be an idea?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Rodrigo_Silva
Contributor
‎2026-03-03 07:07 AM
In response to Vincent_Bacher
Jump to solution

Yes, I have IPS enabled, but I’ve never worked with Snort rules before. I’ll look into it. Thanks for the tip.

0 Kudos
Rodrigo_Silva
Contributor
‎2026-03-06 07:45 AM
In response to Vincent_Bacher
Jump to solution

Thank you for the tip.

I created the rule below and was able to detect and prevent NTLM traffic using the IPS blade.

alert tcp any any -> any $HTTP_PORTS (msg:"NTLM authentication over TCP"; flow:to_server,established; content:"Authorization|3a|"; nocase; http_header; content:"NTLM"; nocase; distance:0; within:64; http_header; classtype:policy-violation;)

Of course, I also had to enable HTTPS Inspection for the internal network.

Best regards

0 Kudos
Martijn
MVP
MVP
‎2026-03-03 06:57 AM
Jump to solution

Hi,

Can't you use Application Control. There is a Windows NTLM application there.

"Windows Challange/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system on stand-alone systems."

Category: Network Protocols
Risk: Low (2)

Or did you already tried that?

Martijn






0 Kudos
Rodrigo_Silva
Contributor
‎2026-03-03 07:04 AM
In response to Martijn
Jump to solution

Yes, I already tried it but it didn’t detect anything.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events