[Dshield] NETBIOS Probe

Kelly Martin kellym at fb00.fb.org
Mon Mar 25 17:01:31 GMT 2002


I've disagreed with the categorization of 137 as "possible firewall
misconfiguration" as well.  While it is true that certain operating systems
routinely send probes out on port 137 (for no good reason), and those probes
are not at all hostile, this is no reason to consider it a
"misconfiguration" when those illicit probes are detected.  And there is
enough hostile activity on 137, 138, and 139 that traffic on these ports
from untrusted sources should be treated as potentially hostile and blocked.

Kelly

> -----Original Message-----
> From:	James [SMTP:dshield at webfocus.com]
> Sent:	Monday, March 25, 2002 10:27 AM
> To:	list at dshield.org
> Subject:	[Dshield] NETBIOS Probe
> 
> 
> Well when looking at the "Your recent submissions" page and look at the 
> Danger level. My question is why are NETBIOS set to a "Possible Firewall 
> Misconfiguration"?  I see no reason for someone on the Internet should try
> 
> to probe NETBIOS.  If some is trying to Probe NETBIOS then they are either
> 
> trying to see if the system is open to use the Hard drive or system ( High
> 
> Alert if you ask me ) or Information gathering for some type or Profiling 
> on there side  for a Low Alert.   I do not think that NETBIOS probes are 
> "Possible Firewall Misconfiguration" at all.
> 
> How do others see this?
> 
> James
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list