Snort mailing list archives

Re: portscan destination port 137

From: twig les <twigles () yahoo com>
Date: Thu, 14 Nov 2002 11:27:41 -0800 (PST)

I'm even worse.  I block it at the border, turn off
anything netbios on the hosts, then use a host-based
packet filter to block 135-139 and 445 at least.  This
sounds pretty paranoid because it is.  Those ports are
a treasure-trove of information.  There are a bunch of
other things I like to do to my 2k box, but they are
out of scope for this list.  I just wanted to say this
stuff cause you could get rocked from the inside if
this stuff is accessible.



--- Eric Joe <sysop () tje1 com> wrote:

Since udp 137 is a well-known M$ port this could

be

normal, but it's worth checking.  No one with a

source

IP that you don't know should be hitting that port
anyway (to be frank, no one at all should be

hitting

that port).  So check the target for vulnerability
(file and print sharing, shares, non-renamed
administrator account....) and see if the source

is an

attacker.


It would be a very good idea to block this port all
together (along with
135 and 139) at your border router, then it becomes
a non issue and its
much safer for your users.


-- 
Eric Joe
Network Operations
Journey's End Internet/Computer Connection Inc

-------------------------------------------------------

This sf.net email is sponsored by: To learn the
basics of securing 
your web site with SSL, click here to get a FREE
TRIAL of a Thawte 
Server Certificate:
http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

portscan destination port 137 Michael (Nov 14)
- Re: portscan destination port 137 twig les (Nov 14)
- <Possible follow-ups>
- Re: portscan destination port 137 Eric Joe (Nov 14)
  - Re: portscan destination port 137 twig les (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)
  - Re: portscan destination port 137 Axel Pettinger (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)