Snort mailing list archives

Odd traffic from Windows 2K servers

From: "Vazquez, Ed" <Ed.Vazquez () dhha org>
Date: Wed, 10 Oct 2001 18:22:53 -0600

Here's a strange one - I'm getting _thousands_ of packets per
hour from the Windows 2K domain controllers / Active Directory
root servers (both functions on same box).

They generate UDP port 137/138 traffic that has both the source
and destination _exactly the same_ (port and IP).

i.e.:

BAD TRAFFIC same SRC/DST 2001-10-11 00:19:28 10.146.10.149:138
10.146.10.149:138 UDP

I'm more of a *NIX head than a Gates Clone, so this was something
_really_ strange to me.  The local admins are clueless as well.

I searched on Google, MS Technet, etc. with no luck on finding
anything that causes this error.

Anyone out there seen this before?  Can help me identify what's
causing this traffic?  Should I just "tune" it out of the rules?

Thanks, 

-- 
Ed Vázquez

I *____knew* I had some reason for not logging you off... If I could
just
remember what it was.

Attachment: InterScan_Disclaimer.txt
Description:

Current thread:

Odd traffic from Windows 2K servers Vazquez, Ed (Oct 10)
- RE: Odd traffic from Windows 2K servers Michael Steele (Oct 12)
- <Possible follow-ups>
- RE: Odd traffic from Windows 2K servers Vazquez, Ed (Oct 11)
  - RE: Odd traffic from Windows 2K servers Rich Adamson (Oct 11)