Yeah,
try this if you have a MS Proxy 2.0 server.
Punch
in a URL like http://209.247.228.201 and watch what
your proxy server does.
It
will send a nbname packet to that address. I am not sure if this is related to
WebSense, or what.
I
suppose it might be WebSense trying to find out the "name" of the server for
it's logging purposes, but wouldn't
that
best be done thru a reverse DNS lookup? weird.
Squid
didn't do that (go figure, it's running on Solaris)
The
nbname packets that are clogging my logs are from all over creation. Asia,
Russia, U.S., Europe, etc etc.
I
doubt it's anything other than malicious.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, May 02, 2001 8:33 PM
To: firewall discussion list; [EMAIL PROTECTED]
Subject: Re: lots of port 137 in deny log
Carl,
There are numerous netbios based scanner out there so "malicious intent" it certainly a possibility. But, I had a similar problem on a firewall I was administering. I traced it back to a company on the same ISP segment I was on that had netbios enabled on their web and proxy servers. These two servers accounted for 700-800 port 137 denies every day. It was interesting to watch because they would first try specific addresses, then broadcast addresses then class B broadcasts.
It's interesting to monitor segments with NT boxes on them. Even when you set up security controls on the interfaces to block everything but TCP/IP, they still send our mailbox queries and other garbage. Go figure.
-- Bill Stackpole, CISSP
