Snort mailing list archives
Samba and "BAD-TRAFFIC 0 ttl" alerts
From: <hugh_fraser () dofasco ca>
Date: Tue, 1 Jun 2004 15:23:04 -0400
I've been seeing a lot of "BAD-TRAFFIC 0 ttl" alerts recently, from port 137 to port 137 on the subnet broadcast address. It appears to be coming from nmbd running on RedHat Enterprise Server. According to the RFCs, sending a packet with a 0 ttl is invalid, but I cannot see anything in the Samba config that would cause this. There are plenty of references to WINS ttl values, but nothing about IP. Is this normal behaviour for Samba, the result of mis-configurations, or an indication of something more sinister?
Current thread:
- Samba and "BAD-TRAFFIC 0 ttl" alerts hugh_fraser (Jun 01)
- Re: Samba and "BAD-TRAFFIC 0 ttl" alerts Max Valdez (Jun 01)