[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: What is someone looking for??

From: Glynn Clements <glynn sensei co uk>
To: Ryan Matteson <x96matteson wmich edu>
Cc: linux-security redhat com
Subject: [linux-security] Re: What is someone looking for??
Date: Sun, 12 Jul 1998 00:21:00 +0100 (BST)

Ryan Matteson wrote:

> I am currently blocking out netbios UDP port 137 on my firewall and was
> wondering what the following means in terms of security:
> 
> Jul  9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137
> MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111
> 
> I have gottena  few 100 of these and was wondering if there are some
> vulnerabilties related to netbios out there??

Is anyone connecting to MS-Exchange from your box? Apparently
MS-Exchange sometimes attempts to perform netbios-ns lookups on
clients which connect to it.

> What do the S/I/F/L fields stand for?? I assume T= TOS? Thanks for
> any info I would appreciate any info/URL's now.

>From /usr/src/linux/net/ipv4/ip_fw.c:

	printk(" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
		ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
		ip->frag_off, ip->ttl);

where `ip' is a `struct iphdr *'.

> Is there a way to tell tcpdump to dump all netbios
> packets originating from outside my present class C to a file for future
> viewing??

Try:
	tcpdump -i eth0 dst port 137 and not src net x.x.x.0

where x.x.x.0 is your local network.

-- 
Glynn Clements <glynn sensei co uk>

References:
- What is someone looking for??
  - From: Ryan Matteson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]