[1971] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: What is someone looking for??

daemon@ATHENA.MIT.EDU (Glynn Clements)
Sun Jul 12 04:36:38 1998

From: Glynn Clements <glynn@sensei.co.uk>
Date: Sun, 12 Jul 1998 00:21:00 +0100 (BST)
To: Ryan Matteson <x96matteson@wmich.edu>
Cc: linux-security@redhat.com
In-Reply-To: <35A539BE.B30D9005@wmich.edu>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com


Ryan Matteson wrote:

> I am currently blocking out netbios UDP port 137 on my firewall and was
> wondering what the following means in terms of security:
> 
> Jul  9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137
> MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111
> 
> I have gottena  few 100 of these and was wondering if there are some
> vulnerabilties related to netbios out there??

Is anyone connecting to MS-Exchange from your box? Apparently
MS-Exchange sometimes attempts to perform netbios-ns lookups on
clients which connect to it.

> What do the S/I/F/L fields stand for?? I assume T= TOS? Thanks for
> any info I would appreciate any info/URL's now.

>From /usr/src/linux/net/ipv4/ip_fw.c:

	printk(" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
		ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
		ip->frag_off, ip->ttl);

where `ip' is a `struct iphdr *'.

> Is there a way to tell tcpdump to dump all netbios
> packets originating from outside my present class C to a file for future
> viewing??

Try:
	tcpdump -i eth0 dst port 137 and not src net x.x.x.0

where x.x.x.0 is your local network.

-- 
Glynn Clements <glynn@sensei.co.uk>

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post