[Dshield] NETBIOS ports

Kenneth Porter shiva at sewingwitch.com
Fri May 31 13:54:18 GMT 2002

I recently switched my Linux firewall from ipchains to iptables because
I needed inbound NAT and the ipchains emulation module lacks that.
Unfortunately, I didn't have a log analyzer for iptables, so I lost the
firewall summaries I'd been getting via the Logwatch package
(http://www.logwatch.org/). (I'm now thinking of using the iptables
parser from the DShield framework as a basis for a Logwatch iptables

When I set up DShield, I added myself to the cc list for the reports and
that works pretty well as a primitive intrusion detection system (IDS).

Lately I started to notice some NETBIOS activity, and looking at the
source addresses, I noted that some are another office of my company,
and some look like cable modem addresses. I have to go look more closely
at the logs, but my bet is that both are side effects of some other
legitimate activity (such as checking email), and that the user has
inadvertantly left Windows file sharing open on his Internet interface.

So if you see NETBIOS stuff in your reports, don't automatically assume
it's malicious. Cross-check the timestamps in your logs and see if it's
just one of your users in need of some education.

More information about the list mailing list