[Snort-users] Odd traffic from Windows 2K servers

Vazquez, Ed Ed.Vazquez at ...3770...
Wed Oct 10 17:24:06 EDT 2001


Here's a strange one - I'm getting _thousands_ of packets per
hour from the Windows 2K domain controllers / Active Directory
root servers (both functions on same box).

They generate UDP port 137/138 traffic that has both the source
and destination _exactly the same_ (port and IP).

i.e.:

BAD TRAFFIC same SRC/DST 2001-10-11 00:19:28 10.146.10.149:138
10.146.10.149:138 UDP

I'm more of a *NIX head than a Gates Clone, so this was something
_really_ strange to me.  The local admins are clueless as well.

I searched on Google, MS Technet, etc. with no luck on finding
anything that causes this error.

Anyone out there seen this before?  Can help me identify what's
causing this traffic?  Should I just "tune" it out of the rules?

Thanks, 

-- 
Ed Vázquez

I *____knew* I had some reason for not logging you off... If I could
just
remember what it was.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011010/a6da2456/attachment.txt>


More information about the Snort-users mailing list