[Snort-users] Very interesting packet

Todd Ransom TRansom at ...197...
Sun Jul 30 09:24:56 EDT 2000

Anyone know how to decode the NetBIOS data in the packet?


-----Original Message-----
From: Fyodor [mailto:fygrave at ...121...]
Sent: Sunday, July 30, 2000 6:39 AM
To: Lance Spitzner
Cc: Bill Pennington; Snort-Users (E-mail)
Subject: Re: [Snort-users] Very interesting packet

~ :
~ :Good guess!  But it looks like they are sequentially scanning systems
~ :blindly, they scanned 7 systems of mine that do not exist.  So, if
~ :they do not get any response, they either have a Windows box, or
~ :no box at all.  Seems to be easier ways to get info ?!?
~ :

Blind guess: I've been seeing udp 137<-->137 traffic being rejected on my
firewalls for quite long time. Further investigation showed up that if
netbios is configured on external `interface' of windoze box, windoze
tries to resolve remote boxen name via netbios as well. Maybe this is
another breed of microsoft crawling featurism? :)

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list