[Dshield] NETBIOS Probe
ed.truitt at etee2k.net
Mon Mar 25 17:42:40 GMT 2002
Kelly Martin <kellym at fb00.fb.org> said:
> I've disagreed with the categorization of 137 as "possible firewall
> misconfiguration" as well. While it is true that certain operating systems
> routinely send probes out on port 137 (for no good reason), and those
> are not at all hostile, this is no reason to consider it a
> "misconfiguration" when those illicit probes are detected. And there is
> enough hostile activity on 137, 138, and 139 that traffic on these ports
> from untrusted sources should be treated as potentially hostile and
I'll certainly agree with you on that point. As a rule, I block ALL NETBIOS
services ports if the originator is not on my local network - I certainly
don't have a problem with Windows networking internally, but no way to I
want that stuff open to the Internet. I certainly don't understand why this
should be considered a "misconfiguration".
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
More information about the list