[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: What is someone looking for??

From: Yury Shevchuk <sizif botik ru>
To: Ryan Matteson <x96matteson wmich edu>
Cc: linux-security redhat com
Subject: [linux-security] Re: What is someone looking for??
Date: Sun, 12 Jul 1998 08:14:16 +0400

On Thu, Jul 09, 1998 at 05:44:30PM -0400, Ryan Matteson wrote:
> I am currently blocking out netbios UDP port 137 on my firewall and was
> wondering what the following means in terms of security:
> 
> Jul  9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137
> MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111
> 
> I have gotten a few 100 of these and was wondering if there are some
> vulnerabilties related to netbios out there?? What do the S/I/F/L fields
> stand for??

>From linux/net/ipv4/ip_fw.c:

    printk(" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
            ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
            ip->frag_off, ip->ttl);

That is,

  L = total length of IP packet
  S = type of service
  I = fragment identifier
  F = fragment offset
  T = time to live

There could also be multiple O='s, showing the contents of IP options
area of the IP packet.

> Is there a way to tell tcpdump to dump all netbios
> packets originating from outside my present class C to a file for future
> viewing??

tcpdump -s 128 -w - -i ethX not src net 192.111.222/24 and udp port 137 \
  | gzip -5 > file

zcat file | tcpdump -nr - | less
zcat file | strings | less

Could these packets be security threat, to which systems (windows?
nt? linux running samba?) and to which extent?  Someone with knowledge
of microsoft networking and neighbourhoods please enlighten
us... unless this becomes off-topic at this point :-)



-- Yury

References:
- What is someone looking for??
  - From: Ryan Matteson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]