Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp)

[Kevin Johnson <kjohnson () secureideas net>]

On Aug 26, 2006, at 10:43 AM, i.m.crazy.frog () gmail com wrote:

> Hi,
> from the link http://www.linklogger.com/UDP137.htm
> "Netbios Name Service is typically how Windows computers find out  
> information concerning the networking features offered by a  
> computer, such as System Name, File Shares, etc."
> i dont say anyting with out seeing the data.if possible pls attach  
> ur ethereal cap file.
> Thanks,
> http://www.secgeeks.com

Hi-

At a customer location, I saw this exact issue.  They had a Xerox
printer hooked up to the network.  The printer comes with a PC that
controls the print jobs.  The communication on this machine to the
printer is on a private network that Xerox decided to use the
100.100.100.0 network.  For some reason this machine will try and
route traffic over the wrong interface quite often.  This is why you
will see drops from your firewall.  I can't guarantee that this is
what you are seeing, but it looks exactly the same.

Kevin
---------------------
GCIA, GCIH, CEH
BASE Project Lead
http://base.secureideas.net
The next step in IDS analysis!



------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------