[Dshield] NETBIOS Probe

Ed Truitt ed.truitt at etee2k.net
Mon Mar 25 17:42:40 GMT 2002

Kelly Martin <kellym at fb00.fb.org> said:

> I've disagreed with the categorization of 137 as "possible firewall
> misconfiguration" as well.  While it is true that certain operating systems
> routinely send probes out on port 137 (for no good reason), and those 
> are not at all hostile, this is no reason to consider it a
> "misconfiguration" when those illicit probes are detected.  And there is
> enough hostile activity on 137, 138, and 139 that traffic on these ports
> from untrusted sources should be treated as potentially hostile and 
> Kelly

I'll certainly agree with you on that point.  As a rule, I block ALL NETBIOS 
services ports if the originator is not on my local network - I certainly 
don't have a problem with Windows networking internally, but no way to I 
want that stuff open to the Internet.  I certainly don't understand why this 
should be considered a "misconfiguration".

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."

More information about the list mailing list