RE: Odd traffic from Windows 2K servers

["Vazquez, Ed" <Ed.Vazquez () dhha org>]

Oh yes, I am aware that these are the NETBIOS ports.  These are
internal Domain Controllers/Active Directory root servers so
NETBIOS is acceptable (well, UNIX with LDAP would be preferrable,
but since most folks here can't spell it I've got to work with
what I have).

My question is still:

Has anyone seen behaviour before where a Windows box will send
UDP traffic to _itself_?

If so, what was the cause (since Technet, Google, etc. turn up
nothing) and the cure?

If not, does anyone have any suggestions? (Other than ripping
them out and replacing with UNIX - already been there with the
PHB's.)

- Ed

> -----Original Message-----
> From: Len Conrad [mailto:LConrad () Go2France com]
> Sent: Wednesday, October 10, 2001 19:46
> To: Vazquez, Ed
> Subject: Re: [Snort-users] Odd traffic from Windows 2K servers
>
>
> At 18:22 2001-10-10 -0600, you wrote:
> > Here's a strange one - I'm getting _thousands_ of packets per
> > hour from the Windows 2K domain controllers / Active Directory
> > root servers (both functions on same box).
> >
> > They generate UDP port 137/138 traffic that has both the source
> > and destination _exactly the same_ (port and IP).
>
> ports 137-138 = netbios.  should not have netbios allowed 
> in/out border 
> firewall, should not have netbios running on public server.
>
> Len
>
>
> http://MenAndMice.com/DNS-training
> http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
> http://IMGate.MEIway.com  : Build free, hi-perf, anti-abuse 
> mail gateways

Attachment: InterScan_Disclaimer.txt
Description: