Firewall log that caught my attention
Results 1 to 5 of 5

Thread: Firewall log that caught my attention

  1. #1
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724

    Firewall log that caught my attention

    So, it was a normal night, I was chillin online doing my thing. Then I started looking at my firewall logs and found that everytime I log on to AOL Instant Messenger, I can see my firewall block NETBIOS traffic to an AIM address. Why on earth is AOL attempting a Netbios connection? Check it out for yourself...anybody know whats up with that?

    Block NetBIOS Traffic *NetBIOS 64.12.26.41 NETBIOS_NS Outbound UDP
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    I don't have or use AIM so I couldn't duplicate your test, but I did start my yahoo messenger and msn messenger. The msn messenger didn't produce any results, but when I started yahoo, my firewall blocked 2 program access requests from Yahoo updater. I also remember denieing that when I was configureing my firewall so it is not a suprise to me.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    100
    It could be that the messenger program is trying to send info out on that port, And seeing that is a netbios port usually, the scanner thought that this traffic what actually netbios traffic?

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    Re: Firewall log that caught my attention

    Originally posted here by Dr Toker
    So, it was a normal night, I was chillin online doing my thing. Then I started looking at my firewall logs and found that everytime I log on to AOL Instant Messenger, I can see my firewall block NETBIOS traffic to an AIM address. Why on earth is AOL attempting a Netbios connection? Check it out for yourself...anybody know whats up with that?

    Block NetBIOS Traffic *NetBIOS 64.12.26.41 NETBIOS_NS Outbound UDP
    The key here is this: NETBIOS_NS

    Your system is essentially trying to use netbios to resolve names. This is default Windows behaviour (especially Win2k/XP) and unless you disable netbios over tcp/ip and unbind the netbios services (which will kill microsoft network), there really isn't anyway to stop this. Essentially Windows uses the netbios name service as a fallback to DNS (considering that M$ now calls bind 'legacy DNS', that should be a rough approximation on how they do things... ). It usually will not resort to netbios unless it is either a last effort to resolve the name, part of microsoft networking, or specifically built into the product you are using (in this case AOL instant messenger, webtrends is another program that does this).

    My guess it is built into it to check netbios names...

    Regardless, I wouldn't worry about it too much.

    /nebulus

    EDIT:
    It could be that the messenger program is trying to send info out on that port, And seeing that is a netbios port usually, the scanner thought that this traffic what actually netbios traffic?
    I find the chances of this to be almost 0%, even though possible. AOL to my knowledge doesn't use UDP datagrams in that fashion, but rather uses TCP. On top of that, picking port 137 would be very ill-advised in that many locations prevent that port from being used from outside of their internal networks. While possible, I think it is much more plausible that the program is simply trying to resolve a name...

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    This is what I suspected. Thanks for the insight, I really wasn't worried about it as much as I was curious. I am trying to get a base-line of what "normal" behavior should look like. Thanks for your help.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides