[Snort-users] Odd traffic from Windows 2K servers

Vazquez, Ed Ed.Vazquez at ...3770...
Thu Oct 11 09:05:10 EDT 2001

Oh yes, I am aware that these are the NETBIOS ports.  These are
internal Domain Controllers/Active Directory root servers so
NETBIOS is acceptable (well, UNIX with LDAP would be preferrable,
but since most folks here can't spell it I've got to work with
what I have).

My question is still:

Has anyone seen behaviour before where a Windows box will send
UDP traffic to _itself_?

If so, what was the cause (since Technet, Google, etc. turn up
nothing) and the cure?

If not, does anyone have any suggestions? (Other than ripping
them out and replacing with UNIX - already been there with the

- Ed

> -----Original Message-----
> From: Len Conrad [mailto:LConrad at ...3685...]
> Sent: Wednesday, October 10, 2001 19:46
> To: Vazquez, Ed
> Subject: Re: [Snort-users] Odd traffic from Windows 2K servers
> At 18:22 2001-10-10 -0600, you wrote:
> >Here's a strange one - I'm getting _thousands_ of packets per
> >hour from the Windows 2K domain controllers / Active Directory
> >root servers (both functions on same box).
> >
> >They generate UDP port 137/138 traffic that has both the source
> >and destination _exactly the same_ (port and IP).
> ports 137-138 = netbios.  should not have netbios allowed 
> in/out border 
> firewall, should not have netbios running on public server.
> Len
> http://MenAndMice.com/DNS-training
> http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
> http://IMGate.MEIway.com  : Build free, hi-perf, anti-abuse 
> mail gateways
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011011/82e14c35/attachment.txt>

More information about the Snort-users mailing list