[Dshield] gzip'ed logs

Mark Ludwig Mark at Ludwig.com
Sun Aug 12 21:15:05 GMT 2001


Richard Lynch wrote:

> I'm getting like 30,000 TCP packets PER HOUR mostly on ports 137 &
> 138.  Mostly broadcast to a.b.c.255 IPs.

Right.

My understanding (from DShield's database review feature) is that those are not necessarily conscious attempts
at cracking into your system.  The fact that they're broadcast is part of the clue.  They're part of how
"Windows Networking" discovers other hosts on the "subnet."  (While it does in fact work most of the time, I
think "Windows Networking" is awfully close to being an oxymoron.)

I've stopped logging packets to 137 or 138, so I can't see what DShield has to say about them any more, but if
I recall correctly, they suggested that such packets were only an indicator of trouble when combined with
packets sent to 139.  I just happen to be seeing a spike in the packets to 139 lately, but I don't feel a need
to turn on logging of 137 & 138 just to see if they're connected.  DShield thinks the packets sent to port 139
are High severity.

Mark
--
"Enjoy your body.  Use it every way you can.
 Don't be afraid of it or what other people think of it.
 It's the greatest instrument you'll ever own."
  -- Mary Schmich via Baz Luhrmann





More information about the list mailing list