[Snort-users] Very interesting packet
TRansom at ...197...
Sun Jul 30 09:24:56 EDT 2000
Anyone know how to decode the NetBIOS data in the packet?
From: Fyodor [mailto:fygrave at ...121...]
Sent: Sunday, July 30, 2000 6:39 AM
To: Lance Spitzner
Cc: Bill Pennington; Snort-Users (E-mail)
Subject: Re: [Snort-users] Very interesting packet
~ :Good guess! But it looks like they are sequentially scanning systems
~ :blindly, they scanned 7 systems of mine that do not exist. So, if
~ :they do not get any response, they either have a Windows box, or
~ :no box at all. Seems to be easier ways to get info ?!?
Blind guess: I've been seeing udp 137<-->137 traffic being rejected on my
firewalls for quite long time. Further investigation showed up that if
netbios is configured on external `interface' of windoze box, windoze
tries to resolve remote boxen name via netbios as well. Maybe this is
another breed of microsoft crawling featurism? :)
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users