No subject

Thu Nov 23 16:36:19 EST 2017

 After seeing a lot of NetBIOS node-status probes in my firewall logs,
 I discovered that many NT servers apparently do a reverse DNS lookup
 by sending a NetBIOS node-status query.  This is documented at:


-----Original Message-----
From: snort-users-admin at
[mailto:snort-users-admin at]On Behalf Of Bill
Sent: Wednesday, December 13, 2000 11:01 AM
To: Dr SuSE
Cc: Snort Users
Subject: Re: [Snort-users] RFC1918 traffic

I believe the traffic you are seeing is due to a bug in Windows name
resolution. If an NT machine tries to resolve an IP address it tries
DNS, then WINS. In the case of a dual homed machine this also causes the
machine to send Netbios resolution packets from all interfaces. This is
most likely what you encountered. I can't find the MS article on this
issue at the moment.

I have been thinking about writing something that would force a machine
with this bug to give up internal IP addresses but have not had time to
pursue it.

Dr SuSE wrote:
> At the place of my current employment one of my tasks is to review alerts
> to me our firewall and from that information I'm expected to determine
> would be hackers are up to without having access to the full firewall
> Yesterday I got an alert and noticed something was not right.  Packets
> being dropped which had a source IP of  Here is the alert sent
> me.
> ===================================
> 11Dec2000 18:21:07 drop firewall > btlan01 useralert proto tcp src
> dst service port135 s_port 1047 len 48 rule 44
> ====================================
> There are a total of three of these and they are all identical and all
came in
> within a few seconds of each other.
> I talked to Marty about this last night on #snort and he provided much
help as
> to how an RFC1918 IP could show up on the Internet side of the firewall.
> Thanks again for the info Marty.
> So, last night I wrote a rule to detect TCP,ICMP and UDP traffic from
> IP's.  I'm not sure how useful the rules will be but I figured I'd share
> info and maybe get some feedback from the rest of you Snort users and in
> process learn something.  I'm sorry I dont have any more information other
> the email alert but that's all I have access to.
> Anyway, to the rules.
> In snort.conf I created a variable which has the value of the private IP's
> specified by RFC 1918
> var RFC1918 [,,]
> Then in the rules file I simply added these rules.
> alert TCP $RFC1918 any -> $INTERNAL any (msg: "TCP Traffic from RFC1918
> alert UDP $RFC1918 any -> $INTERNAL any (msg: "UDP Traffic from RFC1918
> alert ICMP $RFC1918 any -> $INTERNAL any (msg: "ICMP Traffic from RFC1918
> ---------------------------------------------
> Microsoft ist nicht installiert.
> _______________________________________________
> Snort-users mailing list
> Snort-users at
> Go to this URL to change user options or unsubscribe:


Bill Pennington - CISSP
Snort-users mailing list
Snort-users at
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list