Re: [SLUG] Question: Firewall Log

• Next message: Smitty: "Re: [SLUG] More stuff for sale"
• Previous message: Glenn Meyer: "Re: [SLUG] Question: Firewall Log"
• In reply to: Glenn Meyer: "Re: [SLUG] Question: Firewall Log"
• Next in thread: Smitty: "Re: [SLUG] Question: Firewall Log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wednesday 30 October 2002 09:19, Glenn Meyer wrote:
> Ports 135, 137, 139 are used by Microsoft for drive sharing and domain
> communications. Basically what you are seeing is Microsoft machines
> automatically seeking other Microsoft machines (probably the Computer
> Browser service) that will then show up in the "My Network Places" or
> "Network Neighborhood". These are known vulnerable ports and you should
> be glad that your firewall is blocking those requests for information.
> A good deal of information is given out through those ports.
>
> Jeff Barriault wrote:
> >Greetings all,
> >
> >I have a Netgear ProSafe VPN/Firewall between my internal systems and my
> >cable modem. It has it's intrusion detection feature enabled, and is set
> > up to e-mail me logs every day. I've noticed that the majority of the log
> > files have entries similar to the one below.
> >
> >Sun, 10/27/2002 06:48:35 - UDP packet dropped - Source:218.153.236.89,
> > 1026, WAN - Destination:65.32.27.159, 137, LAN - 'Suspicious UDP Data'
> >
> >What I've noticed is that the port is almost always port 137. I looked it
> > up and it is usually reserved for the nbname protocol.
> >
> >What exactly is the nbname protocol? I don't believe I have nbname running
> >on any of my systems, can I redirect the port or do something else so that
> >my logs aren't flooded with these entries? Or can these entries be serious
> >threats that I need to keep track of?
> >
> >All help is appreciated.

IP encapsulated NetBIOS Naming protocol. Actually, both ports 137 and 138 are
used for NetBIOS name record resolution and browsing. The actual Server
Message Block (SMB) data communications take place over NetBIOS messages via
TCP port 139 sessions. All Microsoft DCE RPC communications take place over
TCP port 135 (nothing to do with NetBIOS over IP). Newer versions of windows
(Win2k/WinXP) support TCP port 445 for "raw" SMB data communications as well
(no NetBIOS framing). For that matter, newer versions of Windows rely more on
DNS resolution than P-node/B-node (or H-node) NetBIOS name resolution. WINS
is simply a NetBIOS name server that services UDP port 137 NetBIOS name
requests.

As for this traffic coming in from the outside, be glad your firewall is
blocking them. You really don't want exposed access to these ports from the
outside world.

- Ian C. Blenke <icblenke@nks.net> <ian@blenke.com> http://ian.blenke.com

• Next message: Smitty: "Re: [SLUG] More stuff for sale"
• Previous message: Glenn Meyer: "Re: [SLUG] Question: Firewall Log"
• In reply to: Glenn Meyer: "Re: [SLUG] Question: Firewall Log"
• Next in thread: Smitty: "Re: [SLUG] Question: Firewall Log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:10:17 EDT