[Snort-users] NetBIOS UDP 137 for reverse name resolution ?
daniele.muscetta at ...2470...
Tue Oct 22 02:38:06 EDT 2002
I have been using Snort and Acid for a very small time, so most likely
I still don't know enough about them...
I am running the Win32 port (sigh, sob! i know it would be better on
linux, but i'll see if i can get another -dedicated- machine, ok?)
When an IP address that shows up in ACID cannot be resolved to its
FQDN, I have noticed that (most likely due to the resolver of the win
box) the box does not do only "normal" DNS resolution, but it also
tries to connect to the attacker on port UDP 137 (netbios name server).
then, since the firewall filters those ports out, i get LOADS of false
positives as the following:
[snort/402] ICMP Destination Unreachable (Port Unreachable)
which are VERY annoying, especially because THE MORE i use ACID, the
more alerts of this kind i keep getting... and the more alerts are in
the DB, the more it slows down, etc, etc....
does anyone knows how to disable this behaviour WITHOUT having to
disable the use of netbios from the machine (which i need for other
More information about the Snort-users