cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
0
Helpful
1
Replies

NetBIOS port 137 block on IDS Sensor 4210

s-cerman
Level 1
Level 1

hi all,

i have 4210 IDS sensor (S20) Cisco PIX 515 and CSPM 2.3.3i (S20). It is configured to blocking on PIX. I disabled all of the NEtBIOS attack signatures on IDS. But IDS is blocking some of the port 137 connections. When i look on PIX with "show shun" command i can see the blocked hosts about netbios also i can see the blocked host on CSPM blocked host menu. But i can not see this attack on IDS reports. There is no match about IP address and attack signature. How can i solve this problem?

1 Reply 1

marcabal
Cisco Employee
Cisco Employee

Look in the /usr/nr/var/log.* log files on the sensor.In the log should be an entry to show that the ShunHost command was executed for the particular address.Look at the alarms just prior to that address to determine which alarm fired with that ipaddress and ports, and then check the sensor configuration to see if the sensor was configured to block for that signature.

What you might find is that the NetBIOS packets may be firing signatures other than the NetBIOS signatures. It may be a sweep or flood signature that is firing.Or the sensor might still be firing the NetBIOS signatures because the sensor configuration hadn't been updated (check /usr/nr/etc/packetd.conf and see if it matches what you configured in CSPM).

Something else to keep in mind is that the block/shun may look like it should only block a specific port, but in actuallity the shun/block will stop ALL traffic to and form that IP address and not just the port in the alarm.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: