Snort mailing list archives
Re: portscan destination port 137
From: "Eric Joe" <sysop () tje1 com>
Date: Thu, 14 Nov 2002 14:15:41 -0500 (EST)
Since udp 137 is a well-known M$ port this could be normal, but it's worth checking. No one with a source IP that you don't know should be hitting that port anyway (to be frank, no one at all should be hitting that port). So check the target for vulnerability (file and print sharing, shares, non-renamed administrator account....) and see if the source is an attacker.
It would be a very good idea to block this port all together (along with 135 and 139) at your border router, then it becomes a non issue and its much safer for your users. -- Eric Joe Network Operations Journey's End Internet/Computer Connection Inc ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan destination port 137 Michael (Nov 14)
- Re: portscan destination port 137 twig les (Nov 14)
- <Possible follow-ups>
- Re: portscan destination port 137 Eric Joe (Nov 14)
- Re: portscan destination port 137 twig les (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)
- Re: portscan destination port 137 Axel Pettinger (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)