Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NetBIOS port 137 block on IDS Sensor 4210

hi all,

i have 4210 IDS sensor (S20) Cisco PIX 515 and CSPM 2.3.3i (S20). It is configured to blocking on PIX. I disabled all of the NEtBIOS attack signatures on IDS. But IDS is blocking some of the port 137 connections. When i look on PIX with "show shun" command i can see the blocked hosts about netbios also i can see the blocked host on CSPM blocked host menu. But i can not see this attack on IDS reports. There is no match about IP address and attack signature. How can i solve this problem?

  • Other Security Subjects
Cisco Employee

Re: NetBIOS port 137 block on IDS Sensor 4210

Look in the /usr/nr/var/log.* log files on the sensor.In the log should be an entry to show that the ShunHost command was executed for the particular address.Look at the alarms just prior to that address to determine which alarm fired with that ipaddress and ports, and then check the sensor configuration to see if the sensor was configured to block for that signature.

What you might find is that the NetBIOS packets may be firing signatures other than the NetBIOS signatures. It may be a sweep or flood signature that is firing.Or the sensor might still be firing the NetBIOS signatures because the sensor configuration hadn't been updated (check /usr/nr/etc/packetd.conf and see if it matches what you configured in CSPM).

Something else to keep in mind is that the block/shun may look like it should only block a specific port, but in actuallity the shun/block will stop ALL traffic to and form that IP address and not just the port in the alarm.