I am currently blocking out netbios UDP port 137 on my firewall and was wondering what the following means in terms of security: Jul 9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137 MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111 I have gottena few 100 of these and was wondering if there are some vulnerabilties related to netbios out there?? What do the S/I/F/L fields stand for?? I assume T= TOS? Thanks for any info I would appreciate any info/URL's now. Is there a way to tell tcpdump to dump all netbios packets originating from outside my present class C to a file for future viewing?? Thanks again I apprecaite the help Ryan
Ryan Matteson wrote:> I am currently blocking out netbios UDP port 137 on my firewall and was > wondering what the following means in terms of security: > > Jul 9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137 > MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111 > > I have gottena few 100 of these and was wondering if there are some > vulnerabilties related to netbios out there??Is anyone connecting to MS-Exchange from your box? Apparently MS-Exchange sometimes attempts to perform netbios-ns lookups on clients which connect to it.> What do the S/I/F/L fields stand for?? I assume T= TOS? Thanks for > any info I would appreciate any info/URL's now.>From /usr/src/linux/net/ipv4/ip_fw.c:printk(" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", ntohs(ip->tot_len), ip->tos, ntohs(ip->id), ip->frag_off, ip->ttl); where `ip' is a `struct iphdr *'.> Is there a way to tell tcpdump to dump all netbios > packets originating from outside my present class C to a file for future > viewing??Try: tcpdump -i eth0 dst port 137 and not src net x.x.x.0 where x.x.x.0 is your local network. -- Glynn Clements <glynn@sensei.co.uk>
On Thu, Jul 09, 1998 at 05:44:30PM -0400, Ryan Matteson wrote:>I am currently blocking out netbios UDP port 137 on my firewall and was >wondering what the following means in terms of security: > >Jul 9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137 >MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111 > >I have gottena few 100 of these and was wondering if there are some >vulnerabilties related to netbios out there?? What do the S/I/F/L fields >stand for?? I assume T= TOS? Thanks for any info I would appreciate any >info/URL's now. Is there a way to tell tcpdump to dump all netbios >packets originating from outside my present class C to a file for future >viewing?? Thanks again I apprecaite the help137/udp is netbios-ns. The someone is probably checking for the Netbios-name of your machine. Yes, there are some vulnerabilities known. Samba was until recently remotely exploitable to gain root access, and there's still the possibility of public shares. Hope i could help, -forcer -- /* If you understand what you're doing, you're not learning anything. */ /* email: forcer@mindless.com -><- www: http://webserver.de/forcer/ */ /* IRC: forcer@#StarWars (IRCnet) -><- PGP/GPG: available on my website */
On Thu, Jul 09, 1998 at 05:44:30PM -0400, Ryan Matteson wrote:> I am currently blocking out netbios UDP port 137 on my firewall and was > wondering what the following means in terms of security: > > Jul 9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137 > MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111 > > I have gotten a few 100 of these and was wondering if there are some > vulnerabilties related to netbios out there?? What do the S/I/F/L fields > stand for??>From linux/net/ipv4/ip_fw.c:printk(" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", ntohs(ip->tot_len), ip->tos, ntohs(ip->id), ip->frag_off, ip->ttl); That is, L = total length of IP packet S = type of service I = fragment identifier F = fragment offset T = time to live There could also be multiple O='s, showing the contents of IP options area of the IP packet.> Is there a way to tell tcpdump to dump all netbios > packets originating from outside my present class C to a file for future > viewing??tcpdump -s 128 -w - -i ethX not src net 192.111.222/24 and udp port 137 \ | gzip -5 > file zcat file | tcpdump -nr - | less zcat file | strings | less Could these packets be security threat, to which systems (windows? nt? linux running samba?) and to which extent? Someone with knowledge of microsoft networking and neighbourhoods please enlighten us... unless this becomes off-topic at this point :-) -- Yury
At 17:44 09-07-98 -0400, Ryan Matteson wrote:>was wondering if there are some >vulnerabilties related to netbios out there??At http://www.antionline.com/archives/documents/advanced/cifs.txt there is a security analysis of TCP/IP NetBIOS file sharing. Greetings from Troels Arvin, Copenhagen, Denmark http://www.mdb.ku.dk/tarvin/
Reasonably Related Threads
- [PATCH net] xen-netback: fix fragment detection in checksum setup
- ipfirewall(4)) cannot be changed
- [Bug 20780] New: nouveau corrupts and crashes on 7800gt when NoAccel= false after a few drawing operations
- Problems with chan_sip
- SIP Status: 401 Unauthorized (0 bindings)