[Snort-users] NetBIOS UDP 137 for reverse name resolution ?

daniele.muscetta@...2470... daniele.muscetta at ...2470...
Tue Oct 22 02:38:06 EDT 2002

I have been using Snort and Acid for a very small time, so most likely 
I still don't know enough about them...
I am running the Win32 port (sigh, sob! i know it would be better on 
linux, but i'll see if i can get another -dedicated- machine, ok?)

When an IP address that shows up in ACID cannot be resolved to its 
FQDN, I have noticed that (most likely due to the resolver of the win 
box) the box does not do only "normal" DNS resolution, but it also 
tries to connect to the attacker on port UDP 137 (netbios name server). 
then, since the firewall filters those ports out, i get LOADS of false 
positives as the following:

[snort/402]  ICMP Destination Unreachable (Port Unreachable)

which are VERY annoying, especially because THE MORE i use ACID, the 
more alerts of this kind i keep getting... and the more alerts are in 
the DB, the more it slows down, etc, etc....

does anyone knows how to disable this behaviour WITHOUT having to 
disable the use of netbios from the machine (which i need for other 
stuff) ?

Kind Regards,

Daniele Muscetta

More information about the Snort-users mailing list