|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Rose, Jerry L SAJ (Jerry.L.Rose
saj02.usace.army.mil)Date: Thu Nov 01 2001 - 12:42:13 CST
This link may give you some ideas to try.
http://www.sans.org/newlook/resources/IDFAQ/netstat.htm
-----Original Message-----
From: Andrew R. Baker [mailto:andrewbsnort.org]
Sent: Thursday, November 01, 2001 12:34 PM
To: Leonardo Rodrigues
Cc: Snort Mailing List
Subject: Re: [Snort-users] strange data
Leonardo Rodrigues wrote:
>
>
> I got with snort a very strange traffic flowing from one of my NT
> servers apparently for a LOT of internet broadcast addresses. They are
> being correctly NOT forwarded by my firewall ( linux+ipchains ). But, I
> dont have any idea of WHAT can be generating this strange traffic. Its
> being originated on 1029/udp port, and snort log shows:
>
[snip]
>
> Do you have any idea of what can be generating this traffic ??
>
IIRC, Windows 2000 (and possibly others) will bind some of the netbios
services to high number ports. I would suggest using the FPipe utility
(http://www.foundstone.com/rdlabs/tools.php) to determine what
application is bound to the port.
-Andrew
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]