Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on the NetBIOS rules and port 445 in general

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 18 May 2005 13:35:39 -0400
Kevin Smith wrote:

Hi Ted,


I'm not ted, but I'll interject anyway, and respond to this post, and your
earlier post.


 If you look you can see that it isn't just to one IP but to many. Is this normal for NetBIOS to do, or could be 
signs of virus/spy-ware activity?


Yes, it's common for windows hosts to try a netbios based name query when a DNS
query fails. This is very common when a windows host tries to reverse-lookup an
IP and there's no DNS PTR record. The windows host will try a netbios name query
directed at the IP to obtain a name.




Do you have any idea why only a small percentage of our end users are
being flagged for this network activity? I noticed in the article it
applies to Win2K and different server versions. However, a most of our
customers are runing Win98 and other versions besides 2000.


Older versions of windows use ports in the range of 135-139. Newer versions of
windows support a combined service on 445 and will prefer using that.

This is probably why you only see it from some of your clients, and not others.




 Plus, the

only reason we notifications on this traffic is because the IP addresses
are not connected to anything. Could anything else cause that kind of
activity like a virus or some peice of spy-ware in your opinion?



It could be. Many worms try to exploit netbios services. However, there's
nothing about the posted traffic that's suspicious. Typically if you've got a
worm you'll get a LOT of traffic. Blaster, Slammer and similar worms kick out
hundreds of packets per second. These are generally directed to IPs all over the
world. Some focus their scans on a "block at a time", where they pick a random
/16 and then scan all the IPs in that, then pick another /16.. etc. They also
tend to play favorites to IPs in the local subnet and hammer them relentlessly.





-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: