[Snort-users] Odd traffic from Windows 2K servers
Ed.Vazquez at ...3770...
Thu Oct 11 09:05:10 EDT 2001
Oh yes, I am aware that these are the NETBIOS ports. These are
internal Domain Controllers/Active Directory root servers so
NETBIOS is acceptable (well, UNIX with LDAP would be preferrable,
but since most folks here can't spell it I've got to work with
what I have).
My question is still:
Has anyone seen behaviour before where a Windows box will send
UDP traffic to _itself_?
If so, what was the cause (since Technet, Google, etc. turn up
nothing) and the cure?
If not, does anyone have any suggestions? (Other than ripping
them out and replacing with UNIX - already been there with the
> -----Original Message-----
> From: Len Conrad [mailto:LConrad at ...3685...]
> Sent: Wednesday, October 10, 2001 19:46
> To: Vazquez, Ed
> Subject: Re: [Snort-users] Odd traffic from Windows 2K servers
> At 18:22 2001-10-10 -0600, you wrote:
> >Here's a strange one - I'm getting _thousands_ of packets per
> >hour from the Windows 2K domain controllers / Active Directory
> >root servers (both functions on same box).
> >They generate UDP port 137/138 traffic that has both the source
> >and destination _exactly the same_ (port and IP).
> ports 137-138 = netbios. should not have netbios allowed
> in/out border
> firewall, should not have netbios running on public server.
> http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
> http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse
> mail gateways
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Snort-users