LLMNR
LLMNR is used to resolve names of machines to their IP addresses within a local subnet when DNS is not available.
This plugin looks for signs of LLMNR poisoning.
LLMNR poisoning happens when a user/device tries to resolve a hostname which can't be answered by DNS. The attacker will be waiting using a tool such as Responder to send a forged LLMNR response claiming they are the machine the user/device is looking for. LLMNR responses aren't verified which means the attacker will now receive all data being mistakenly sent. The attacker can now capture any credentials sent or commence a Man-In-The-Middle Attack.
How does this work with Trapster?
Your Trapster will periodically send LLMNR requests to find the IP address of a made up machine.
This LLMNR request will not affect your network because nobody should be responding because the machine doesn't exist. If a machine responds, it is recorded, flagged, and sent to your Dashboard where you can review the incident.
Note
Important
Use this plugin on your Windows-imitating Trapsters only. LLMNR is a Windows-specific protocol.