[Snort-users] Odd traffic from Windows 2K servers

Michael Steele michaels at ...155...
Fri Oct 12 08:05:06 EDT 2001


Ed,

You could always try shutting tasks down one at a time until you find
what is generating the traffic.

-Mike

          Commercial Snort Support
               1.866.41.SNORT
Silicon Defense - www.silicondefense.com
Michael Steele - Snort Support Technician

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Vazquez,
Ed
Sent: Wednesday, October 10, 2001 5:23 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Odd traffic from Windows 2K servers

Here's a strange one - I'm getting _thousands_ of packets per
hour from the Windows 2K domain controllers / Active Directory
root servers (both functions on same box).

They generate UDP port 137/138 traffic that has both the source
and destination _exactly the same_ (port and IP).

i.e.:

BAD TRAFFIC same SRC/DST 2001-10-11 00:19:28 10.146.10.149:138
10.146.10.149:138 UDP

I'm more of a *NIX head than a Gates Clone, so this was something
_really_ strange to me.  The local admins are clueless as well.

I searched on Google, MS Technet, etc. with no luck on finding
anything that causes this error.

Anyone out there seen this before?  Can help me identify what's
causing this traffic?  Should I just "tune" it out of the rules?

Thanks, 

-- 
Ed Vázquez

I *____knew* I had some reason for not logging you off... If I could
just
remember what it was.






More information about the Snort-users mailing list