[Snort-users] untp connection question

Dr SuSE drsuse at ...748...
Wed Nov 15 21:24:15 EST 2000


During the last few days I've noticed the firewall dropping packets that
were directed to some internal machines.  The connections were being made
to port 119 nntp/untp.  The only pattern I noticed was that connections
were always being attempted to the same two internal Windows 95 machines.
The hosts that are attempting the connections vary but two things remain
constant, that is the destination port and the destination host.

This morning I did an nmap scan of the two internal hosts in
question.  Both hosts have ports 135/loc-srv, 139/netbios-ssn and
1026/nterm ports open.  Standard desktop machines on our network only have
port 139 open. 

I did some research and found that nterm is a program called NetTerm which
is a telnet client for Win32 machines.  This is not software that we have
a license for but that's another issue.

I was just curious if anyone here might know what would cause someone to
attempt untp connections on host's that do not have thos port open.  I'm
curious if some type of activity by the internal users would cause this
type of traffic.

Thanks,

Dr SuSE

"Microsoft ist nicht installiert"




More information about the Snort-users mailing list