RE: lots of port 137 in deny log

Thu, 03 May 2001 07:51:33 -0700 

I agree with Carl.  I am not so sure that this can be just explained away as
being normal Microsoft activity.  I too have seen a great deal of this type
of activity, and it just started about 6 months ago.  I know the same
subject has come up on this thread at least 3 times now.  It sure sounds
like it is another MS "issue".

> -----Original Message-----
> From: Carl E. Mankinen [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, May 02, 2001 10:06 PM
> To:   firewall discussion list
> Subject:      RE: lots of port 137 in deny log
> 
> Yeah, try this if you have a MS Proxy 2.0 server.
> Punch in a URL like <http://209.247.228.201> and watch what your proxy
> server does.
> It will send a nbname packet to that address. I am not sure if this is
> related to WebSense, or what.
> I suppose it might be WebSense trying to find out the "name" of the server
> for it's logging purposes, but wouldn't
> that best be done thru a reverse DNS lookup? weird.
>  
> Squid didn't do that (go figure, it's running on Solaris)
>  
> The nbname packets that are clogging my logs are from all over creation.
> Asia, Russia, U.S., Europe, etc etc.
> I doubt it's anything other than malicious.
>  
> 
>       -----Original Message-----
>       From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
>       Sent: Wednesday, May 02, 2001 8:33 PM
>       To: firewall discussion list; [EMAIL PROTECTED]
>       Subject: Re: lots of port 137 in deny log
>       
>       
> 
>       Carl, 
>       
>       There are numerous netbios based scanner out there so "malicious
> intent" it certainly a possibility. But, I had a similar problem on a
> firewall I was administering.  I traced it back to a company on the same
> ISP segment I was on that had netbios enabled on their web and proxy
> servers.  These two servers accounted  for  700-800 port 137 denies every
> day.  It was interesting to watch because they would first try specific
> addresses, then broadcast addresses then class B broadcasts. 
>       
>       It's interesting to monitor segments with NT boxes on them.  Even
> when you set up security controls on the interfaces to block everything
> but TCP/IP, they still send our mailbox queries and other garbage.  Go
> figure. 
>       
>       -- Bill Stackpole, CISSP   
>       
>       
> 
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to