Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Erek Adams (erektheadamsfamily.net)
Date: Sun Feb 10 2002 - 20:48:34 CST
On Sun, 10 Feb 2002, Andy Leigh wrote:
> BPF filters seemed a good way to go as well, but when I tried to put a
> filter together I became discouraged. The portscan is mostly being tripped
> off each Windows 9x client trying boot-up and log in. The first time you
> analyse how it does it, your jaw drops. For a network with only one PDC or a
> PDC + BDC, I'm certain that this is not a problem. What I see is this:
> Imagine 500 machines all booting up!
Dear lord.... I'm so glad I don't have to deal with that kind of 'fun'.
> I could put a BPF filter in on "any 135:139" going to all the addresses in
> the WINS boxes, but I think that I would then miss important other weird
> behaviour against the NetBIOS structure. A "Portscan: ignoreports" option
> would let me do all normal tracking, but not go made with W9x bootup
Yep, in the situation a ignoreports option would be the only thing that could
> By the way, all W9x clients do this behaviour with "administrator" as the
> logon ID. Given that the machines aren't logging in, they are just probing,
> I think this was irresponsible behaviour by the MS coders.
Well, It's not the optimum solution, but you could replace all those M$ boxes
with SunRays, *BSD boxes, Linux boxes, etc... :) Ok, it's a dream...
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: