Re: [SLUG] Question: Firewall Log

From: Glenn Meyer (me@glennmeyer.com)
Date: Wed Oct 30 2002 - 09:19:45 EST


Ports 135, 137, 139 are used by Microsoft for drive sharing and domain
communications. Basically what you are seeing is Microsoft machines
automatically seeking other Microsoft machines (probably the Computer
Browser service) that will then show up in the "My Network Places" or
"Network Neighborhood". These are known vulnerable ports and you should
be glad that your firewall is blocking those requests for information.
 A good deal of information is given out through those ports.

Jeff Barriault wrote:

>Greetings all,
>
>I have a Netgear ProSafe VPN/Firewall between my internal systems and my
>cable modem. It has it's intrusion detection feature enabled, and is set up
>to e-mail me logs every day. I've noticed that the majority of the log files
>have entries similar to the one below.
>
>Sun, 10/27/2002 06:48:35 - UDP packet dropped - Source:218.153.236.89, 1026,
>WAN - Destination:65.32.27.159, 137, LAN - 'Suspicious UDP Data'
>
>What I've noticed is that the port is almost always port 137. I looked it up
>and it is usually reserved for the nbname protocol.
>
>What exactly is the nbname protocol? I don't believe I have nbname running
>on any of my systems, can I redirect the port or do something else so that
>my logs aren't flooded with these entries? Or can these entries be serious
>threats that I need to keep track of?
>
>All help is appreciated.
>
>Thanks,
>
>JB
>



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:10:07 EDT