Question on the NetBIOS rules and port 445 in general

[Kevin Smith <kjsmith () tm net>]

Hey everyone,

I have been noticing a lot of traffic coming from our end users 
computers on TCP port 445. Basically, this is all the traffic coming 
through our snort box we have setup. Every once and a while I will see a 
port 80 or maybe 135-139.  If I enable the NetBIOS rules along that came 
with 2.3 I notice that I get nothing. Does that just mean there isn't 
anything I should worry about? If you look you can see that it isn't 
just to one IP but to many. Is this normal for NetBIOS to do, or could 
be signs of virus/spy-ware activity? Sorry if this is a dumb question, 
but I'm just lost. Any help with understanding what I am seeing here 
would be greatly appreciated.

Src. Port     Dest. IP      Dest. Port
3036     64.7.179.58     445     2005-05-17 23:49:28
3039     64.7.182.138     445     2005-05-17 23:49:28
3053     64.7.181.247     445     2005-05-17 23:49:29
3081     64.7.181.190     445     2005-05-17 23:49:30
3082     64.7.181.190     445     2005-05-17 23:49:30
3039     64.7.182.138     445     2005-05-17 23:49:31
3036     64.7.179.58     445     2005-05-17 23:49:31
3053     64.7.181.247     445     2005-05-17 23:49:32
3081     64.7.181.190     445     2005-05-17 23:49:33

Thanks again,
Kevin


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users