Re: Unusual volume: UDP:137 probes

["Scott McGee" <scottmcgee () adelphia net>]

Here are some example tcpdumps of the netbios probes:

tcpdump -xX -v -i eth1 udp port 137

11:10:54.373723 200-158-48-226.dsl.telesp.net.br.1025 >
ca-crlsca-cuda2-c6a.crlsca.adelphia.net.netbios-ns:  [udp sum ok]
> > > NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x100
OpCode=0
NmFlags=0x1
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=*               NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

 (ttl 102, id 22089, len 78)
0x0000   4500 004e 5649 0000 6611 c8a8 c89e 30e2
E..NVI..f.....0.
0x0010   4446 f7e6 0401 0089 003a 85f9 0100 0010
DF.......:......
0x0020   0001 0000 0000 0000 2043 4b41 4141 4141
.........CKAAAAA
0x0030   4141 4141 4141 4141 4141 4141 4141 4141
AAAAAAAAAAAAAAAA
0x0040   4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..

11:12:25.241600 209.136.250.227.1030 >
ca-crlsca-cuda2-c6a.crlsca.adelphia.net.netbios-ns:  [udp sum ok]
> > > NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x100
OpCode=0
NmFlags=0x1
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=*               NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

 (ttl 46, id 7690, len 78)
0x0000   4500 004e 1e0a 0000 2e11 65fc d188 fae3
E..N......e.....
0x0010   4446 f7e6 0406 0089 003a b308 0100 0010
DF.......:......
0x0020   0001 0000 0000 0000 2043 4b41 4141 4141
.........CKAAAAA
0x0030   4141 4141 4141 4141 4141 4141 4141 4141
AAAAAAAAAAAAAAAA
0x0040   4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..


| >
| > Packet contents seem to be "normal".
|
| Yep. Look normal here too.
|


Scott


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com