All my users do their surfing thru proxies.
I know what addresses those are and should only see traffic to those
addresses,
not every address in my subnet. It's a scan. (except for the ones that were
legit sites hitting my proxy addresses)
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 02, 2001 8:53 PM
To: 'Carl E. Mankinen'; firewall discussion list
Subject: RE: lots of port 137 in deny log
Carl,
No - you'll get that. It's normally IIS servers trying to "look up" IP
addresses that connect to them. Are these real IP addresses that might be
computers running WWW browsers?
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-----Original Message-----
From: Carl E. Mankinen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 03, 2001 8:05 AM
To: firewall discussion list
Subject: Re: lots of port 137 in deny log
What I am seeing is inbound nbname connections to IP addresses all over my
CIDR block.
Not to addresses that would have ever been resolved by external DNS etc.
I would think this would indicate malicious intent.
----- Original Message -----
From: [EMAIL PROTECTED]
To: Dave Vogler
Cc: firewall discussion list ; [EMAIL PROTECTED]
Sent: Wednesday, May 02, 2001 4:13 PM
Subject: Re: lots of port 137 in deny log
Because Microsoft implements NETBIOS over TCP by default and most people
don't know effort to turn it off. Consequently you have all kinds of
systems trying to find out about the "Nework Neighborhood" they are attached
to.
-- Bill Stackpole, CISSP
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
