[1971] in linux-security and linux-alert archive
[linux-security] Re: What is someone looking for??
daemon@ATHENA.MIT.EDU (Glynn Clements)
Sun Jul 12 04:36:38 1998
From: Glynn Clements <glynn@sensei.co.uk>
Date: Sun, 12 Jul 1998 00:21:00 +0100 (BST)
To: Ryan Matteson <x96matteson@wmich.edu>
Cc: linux-security@redhat.com
In-Reply-To: <35A539BE.B30D9005@wmich.edu>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
Ryan Matteson wrote:
> I am currently blocking out netbios UDP port 137 on my firewall and was
> wondering what the following means in terms of security:
>
> Jul 9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137
> MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111
>
> I have gottena few 100 of these and was wondering if there are some
> vulnerabilties related to netbios out there??
Is anyone connecting to MS-Exchange from your box? Apparently
MS-Exchange sometimes attempts to perform netbios-ns lookups on
clients which connect to it.
> What do the S/I/F/L fields stand for?? I assume T= TOS? Thanks for
> any info I would appreciate any info/URL's now.
>From /usr/src/linux/net/ipv4/ip_fw.c:
printk(" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
ip->frag_off, ip->ttl);
where `ip' is a `struct iphdr *'.
> Is there a way to tell tcpdump to dump all netbios
> packets originating from outside my present class C to a file for future
> viewing??
Try:
tcpdump -i eth0 dst port 137 and not src net x.x.x.0
where x.x.x.0 is your local network.
--
Glynn Clements <glynn@sensei.co.uk>
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null