[Snort-users] netbios-name-query

Graeme Fowler graeme.fowler at ...2189...
Mon Jun 11 08:35:25 EDT 2001


rob wrote:
> I have recently, say within the last month, noticed an 
> unusual amount of 'netbios-name-query' (port 137) scans
> on my machine...at least 4/5 a day.

...and then Rimas wrote:
> I has the same problem ( I use Snort too). You may disable 
> the tcp and upd 137 - 139 ports with netfilter and would
> be no problems to get your NetBIOS  name and no alerts from
> Snort.

...and finally, Matthew Collins wrote:
> I get lots and lots of these, every day. Most of them are a 1 
> off scan of a single IP address. Some of them are misconfigured
> machines that try and use NetBIOS whenever they send us email :).

Hehe :)

'Misconfigured machines' is not _quite_ correct, more like 'misconfigured
operating system' or more accurately 'misconfigured network protocol stack'.

Some (early?) releases/builds of W9x - don't know about the more recent ones
- had a nasty habit of prefixing all TCP connections with a NetBIOS name
lookup, presumably since Internet Exploder and Windows Exploder had become
so tightly integrated. In a previous role in an academic environment we used
to see these all the time, particularly destined for our primary webserver
address. At first we though it to be some kind of weird probe; that hunch
turned out to be correct, but it was less malicious than we first thought...

I guess filtering is the only option. Education obviously hasn't worked as
we're still all out here using the damned thing in corporate LANs :(

Graeme




More information about the Snort-users mailing list