RE: Odd traffic from Windows 2K servers

["Michael Steele" <michaels () silicondefense com>]

Ed,

You could always try shutting tasks down one at a time until you find
what is generating the traffic.

-Mike

          Commercial Snort Support
               1.866.41.SNORT
Silicon Defense - www.silicondefense.com
Michael Steele - Snort Support Technician

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Vazquez,
Ed
Sent: Wednesday, October 10, 2001 5:23 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Odd traffic from Windows 2K servers

Here's a strange one - I'm getting _thousands_ of packets per
hour from the Windows 2K domain controllers / Active Directory
root servers (both functions on same box).

They generate UDP port 137/138 traffic that has both the source
and destination _exactly the same_ (port and IP).

i.e.:

BAD TRAFFIC same SRC/DST 2001-10-11 00:19:28 10.146.10.149:138
10.146.10.149:138 UDP

I'm more of a *NIX head than a Gates Clone, so this was something
_really_ strange to me.  The local admins are clueless as well.

I searched on Google, MS Technet, etc. with no luck on finding
anything that causes this error.

Anyone out there seen this before?  Can help me identify what's
causing this traffic?  Should I just "tune" it out of the rules?

Thanks, 

-- 
Ed Vázquez

I *____knew* I had some reason for not logging you off... If I could
just
remember what it was.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users