Thu Nov 23 16:36:19 EST 2017
After seeing a lot of NetBIOS node-status probes in my firewall logs,
I discovered that many NT servers apparently do a reverse DNS lookup
by sending a NetBIOS node-status query. This is documented at:
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bill
Sent: Wednesday, December 13, 2000 11:01 AM
To: Dr SuSE
Cc: Snort Users
Subject: Re: [Snort-users] RFC1918 traffic
I believe the traffic you are seeing is due to a bug in Windows name
resolution. If an NT machine tries to resolve an IP address it tries
DNS, then WINS. In the case of a dual homed machine this also causes the
machine to send Netbios resolution packets from all interfaces. This is
most likely what you encountered. I can't find the MS article on this
issue at the moment.
I have been thinking about writing something that would force a machine
with this bug to give up internal IP addresses but have not had time to
Dr SuSE wrote:
> At the place of my current employment one of my tasks is to review alerts
> to me our firewall and from that information I'm expected to determine
> would be hackers are up to without having access to the full firewall
> Yesterday I got an alert and noticed something was not right. Packets
> being dropped which had a source IP of 192.168.0.1 Here is the alert sent
> 11Dec2000 18:21:07 drop firewall > btlan01 useralert proto tcp src
> dst machine.my.domain.com service port135 s_port 1047 len 48 rule 44
> There are a total of three of these and they are all identical and all
> within a few seconds of each other.
> I talked to Marty about this last night on #snort and he provided much
> to how an RFC1918 IP could show up on the Internet side of the firewall.
> Thanks again for the info Marty.
> So, last night I wrote a rule to detect TCP,ICMP and UDP traffic from
> IP's. I'm not sure how useful the rules will be but I figured I'd share
> info and maybe get some feedback from the rest of you Snort users and in
> process learn something. I'm sorry I dont have any more information other
> the email alert but that's all I have access to.
> Anyway, to the rules.
> In snort.conf I created a variable which has the value of the private IP's
> specified by RFC 1918
> var RFC1918 [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
> Then in the rules file I simply added these rules.
> alert TCP $RFC1918 any -> $INTERNAL any (msg: "TCP Traffic from RFC1918
> alert UDP $RFC1918 any -> $INTERNAL any (msg: "UDP Traffic from RFC1918
> alert ICMP $RFC1918 any -> $INTERNAL any (msg: "ICMP Traffic from RFC1918
> Microsoft ist nicht installiert.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
Bill Pennington - CISSP
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users