Hi all, I’ve recently been getting a lot of scans on port 137 with the same query payload as in (http://www.sans.org/newlook/resources/IDFAQ/port_137.htm) ……………CKAAAAAAAAA..! I know the purpose of this scan but thought it strange as yesterday I had scans from 57 different addresses in a 12hr period. All with different TTLs, different source ports around 1027 and IP Identification, so I don’t think that this is some tool. Can anyone shed any light as to why so may all of a sudden? Also I’m running snort IDS but it did not alert me to these scans even though I thought it had a rule to. Regards
