[Snort-users] Netbios

Jason Robertson jason at ...734...
Tue Nov 21 15:20:51 EST 2000


The only problem with Netbios attempts to connect to port 137 is the simple 
fact that if a host that is a windows box attempts to do a reverse dns on the 
ip address, it will always send a netbios name request on UDP port 137 for 
the resolution.

This will happen for anything that may do a reverse, including someone 
pinging or tracert, or even regular web traffic.  Though blocked our network 
has sent out over 800 of these in about 45 minutes.  I would check though on 
the machine that is the destination, I would first determine if anything new 
was started, as there may be new traffic relating to a new website or the 
likes.

It could also be more related, to some trojan, though there is the usual 
standard scans that pass through as well, on a regular basis.  My only 
suggestions, and I suggest this for every company block incoming and 
outgoing UDP and TCP 135-139 (well you can get away with 137-139)


---
Jason Robertson                
Network Analyst            
jason at ...734...    
http://www.astroadvice.com      



More information about the Snort-users mailing list