Snort mailing list archives
RE: Odd traffic from Windows 2K servers
From: "Vazquez, Ed" <Ed.Vazquez () dhha org>
Date: Thu, 11 Oct 2001 10:04:55 -0600
Oh yes, I am aware that these are the NETBIOS ports. These are internal Domain Controllers/Active Directory root servers so NETBIOS is acceptable (well, UNIX with LDAP would be preferrable, but since most folks here can't spell it I've got to work with what I have). My question is still: Has anyone seen behaviour before where a Windows box will send UDP traffic to _itself_? If so, what was the cause (since Technet, Google, etc. turn up nothing) and the cure? If not, does anyone have any suggestions? (Other than ripping them out and replacing with UNIX - already been there with the PHB's.) - Ed
-----Original Message----- From: Len Conrad [mailto:LConrad () Go2France com] Sent: Wednesday, October 10, 2001 19:46 To: Vazquez, Ed Subject: Re: [Snort-users] Odd traffic from Windows 2K servers At 18:22 2001-10-10 -0600, you wrote:Here's a strange one - I'm getting _thousands_ of packets per hour from the Windows 2K domain controllers / Active Directory root servers (both functions on same box). They generate UDP port 137/138 traffic that has both the source and destination _exactly the same_ (port and IP).ports 137-138 = netbios. should not have netbios allowed in/out border firewall, should not have netbios running on public server. Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
Attachment:
InterScan_Disclaimer.txt
Description:
Current thread:
- Odd traffic from Windows 2K servers Vazquez, Ed (Oct 10)
- RE: Odd traffic from Windows 2K servers Michael Steele (Oct 12)
- <Possible follow-ups>
- RE: Odd traffic from Windows 2K servers Vazquez, Ed (Oct 11)
- RE: Odd traffic from Windows 2K servers Rich Adamson (Oct 11)