[Snort-users] Odd traffic from Windows 2K servers

Michael Steele michaels at ...155...
Fri Oct 12 08:05:06 EDT 2001


You could always try shutting tasks down one at a time until you find
what is generating the traffic.


          Commercial Snort Support
Silicon Defense - www.silicondefense.com
Michael Steele - Snort Support Technician

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Vazquez,
Sent: Wednesday, October 10, 2001 5:23 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Odd traffic from Windows 2K servers

Here's a strange one - I'm getting _thousands_ of packets per
hour from the Windows 2K domain controllers / Active Directory
root servers (both functions on same box).

They generate UDP port 137/138 traffic that has both the source
and destination _exactly the same_ (port and IP).


BAD TRAFFIC same SRC/DST 2001-10-11 00:19:28 UDP

I'm more of a *NIX head than a Gates Clone, so this was something
_really_ strange to me.  The local admins are clueless as well.

I searched on Google, MS Technet, etc. with no luck on finding
anything that causes this error.

Anyone out there seen this before?  Can help me identify what's
causing this traffic?  Should I just "tune" it out of the rules?


Ed Vázquez

I *____knew* I had some reason for not logging you off... If I could
remember what it was.

More information about the Snort-users mailing list