UDP Bomb

Unanswered Question
May 29th, 2002
User Badges:

Getting a ton of these alarms, any ideas why or how to prevent? I assume port 137 broadcasts are normal Windows operation. I wouldn't think that should trigger an alarm. The sensor is on a LAN segment with servers keeping an eye on traffic from other LANs to these servers.

p.s. I know I can filter out the alarm on the sensor.

>>>>>>

2002/05/28 12:10:34

Source: 192.168.250.114:137 Destination: 192.168.250.255:137

Signature: 4050:0 UDP Bomb 2

NSDB: /nsdb/expsig_4050.html

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scothrel Wed, 05/29/2002 - 10:00
User Badges:
  • Cisco Employee,

We've not heard of a large increase in this alarm's false positive rate before. Could either of the gentlemen please email or post what IDS version they are running? Also, a general idea of what your Windows network looks like? what software version are you running predominately, whats the domain structure if any (NT4, Win2K AD, XP, .NET???) , predominate client? I'm wondering if something changed in XP or .NET servers that is causing this.


Scott C.

[email protected]

dmorone Wed, 05/29/2002 - 11:55
User Badges:

Might have my own answer. It might be our Norton AV mgr. polling all clients. Checking.

seth.leone Wed, 05/29/2002 - 13:47
User Badges:

I've seen it trigger on the use of Cisco's VPN client software......

Actions

This Discussion