[Snort-users] netbios-name-query

Rimantas Mocevicius rmocius at ...2161...
Mon Jun 11 07:57:19 EDT 2001


Hi Matthew,

I has the same problem ( I use Snort too). You may disable the tcp and upd
137 - 139 ports
with netfilter and would be no problems to get your NetBIOS name and no
alerts from Snort.


Regards

Rimas

----- Original Message -----
From: "Matthew Collins" <Matthew.Collins at ...1681...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, June 11, 2001 11:55 AM
Subject: Re: [Snort-users] netbios-name-query


> I get lots and lots of these, every day. Most of them are a 1 off scan of
a single IP address. Some of them are misconfigured machines that try and
use NetBIOS whenever they send us email :).
>
> I mostly ignore them. If I get someone scanning the whole IP address
range, I might fire off a complaint, but that's very rare.
>
> >>> "Robert L. Yelvington" <robert at ...579...> 08/06/01 18:54:18 >>>
> I run snort 1.7 w/vision.conf from whitehats.com on fBSD 4.3 machine,
> runs like a champ w/no probs!
>
> I have recently, say within the last month, noticed an unusual amount of
> 'netbios-name-query' (port 137) scans
> on my machine...at least 4/5 a day.
>
> Should I be worried about this?
>
> The scans are rarely across more than a couple of IPs in my /26 address
> space and mostly originate from some dsl or cable
> provider's network.
>
> Has anyone else noticed this?  OR can someone provide comments?
>
> thanx,
> ~rob
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
****************************************************************************
************
> This message and any attachments are confidential to the ordinary user of
> the e-mail address to which it was addressed and may also be privileged.
> If you are not the addressee you may not copy, forward, disclose or use
> any part of the message or its attachments and if you have received this
> message in error, please notify the sender immediately by return e-mail
and
> delete it from your system.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or
contain
> viruses. The sender therefore does not accept liability for any errors or
> omissions in the context of this message which arise as a result of
Internet
> transmission.
> Northern Registrars Limited, Northern House, Woodsome Park, Fenay
> Bridge, Huddersfield. HD8 0LA.
> Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
> For more information visit our web site:
http://www.northernregistrars.co.uk
>
****************************************************************************
************
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list