[Snort-users] Odd traffic from Windows 2K servers

Rich Adamson radamson at ...2127...
Thu Oct 11 09:45:11 EDT 2001

My company (Network Partners Inc) has been doing network health
checks and vulnerability analysis for about seven years in over
forty states. We are very heavy into protocol analysis, network 
performance, security, etc.

I've only seen one case similar to what you've described, and that
was a company in Omaha that hired a not-so-informed programmer to
write a special application for them. The programmer wrote the app
to communicate with another Windows app (on the same box). It was
generating a fair amount of LAN traffic destined for itself as 
observed with a NAI Sniffer. Once the detail was analyzed, the
company recognized the issue and we left. I did not get to see the
source code or even begin to understand what he did that created
the issue. Ordinarily the stack would not ship that type of data
on the wire.

If you have full access to the box, one brute-force mechanism to
use to identify the source is to simply kill processes one at a
time through task manager to identify the errant app (assuming
all other avenues have been attempted). I'd suspect there is more
to the story then what we understand thus far.

> My question is still:
> Has anyone seen behaviour before where a Windows box will send
> UDP traffic to _itself_?
> If so, what was the cause (since Technet, Google, etc. turn up
> nothing) and the cure?
> If not, does anyone have any suggestions? (Other than ripping
> them out and replacing with UNIX - already been there with the
> PHB's.)

More information about the Snort-users mailing list