[Dshield] new to logging - question

Lepich, Jesse A Mr GLWACH Jesse.Austin.Lepich at us.army.mil
Thu Apr 29 15:26:02 GMT 2004


It's probably NetBIOS name queries.....Pretty common for Windows boxes.

See: http://www.finchhaven.com/pages/incidents/030102_udp_137.html


You might capture the traffic and see what the content looks like....if
it looks like "CKAAAAAAA..." I wouldn't worry about it too much.

For me, it's not too useful to submit egress logs to dshield. You might
consider an exclusion rule for that traffic.

-Jesse




-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Strobel, Brenda
Sent: Thursday, April 29, 2004 7:52 AM
To: 'General DShield Discussion List'
Subject: [Dshield] new to logging - question



I just started submitting my zonealarm logs to dsshield.
I've noticed a TON of events going out from MY machine to various ip
addresses to port 137.  
I've scanned my machine left and right and it finds nothing.  
Any thoughts?

Brenda 


Privileged/Confidential Information may be contained in this message.
If you are not the addressee indicated in this message (or responsible
for delivery of the message to such person), you may not copy or deliver
this message to anyone. In such case, you should destroy this message
and kindly notify the sender by reply email. Please advise immediately
if you or your employer do not consent to Internet email for messages of
this kind. Opinions, conclusions and other information in this message
that do not relate to the official business of my firm shall be
understood as neither given nor endorsed by it. 

_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list