[Dshield] NETBIOS ports
tlamberth at bsafeonline.com
Fri May 31 15:17:04 GMT 2002
I may have missed the boat on this topic but I noticed the same thing
and come to find that a lot of misguided Windows users computers are
trying to populate their browse list and their machines are probing the
heck out of anything they attach to.
>Lately I started to notice some NETBIOS activity, and looking at the
>source addresses, I noted that some are another office of my company,
>and some look like cable modem addresses. I have to go look more
>at the logs, but my bet is that both are side effects of some other
>legitimate activity (such as checking email), and that the user has
>inadvertently left Windows file sharing open on his Internet interface.
>So if you see NETBIOS stuff in your reports, don't automatically assume
>it's malicious. Cross-check the timestamps in your logs and see if it's
>just one of your users in need of some education.
More information about the list