Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

UDP Bomb

Getting a ton of these alarms, any ideas why or how to prevent? I assume port 137 broadcasts are normal Windows operation. I wouldn't think that should trigger an alarm. The sensor is on a LAN segment with servers keeping an eye on traffic from other LANs to these servers.

p.s. I know I can filter out the alarm on the sensor.

>>>>>>

2002/05/28 12:10:34

Source: 192.168.250.114:137 Destination: 192.168.250.255:137

Signature: 4050:0 UDP Bomb 2

NSDB: /nsdb/expsig_4050.html

4 REPLIES
New Member

Re: UDP Bomb

I get the same darned thing.. Thousands upon thousands.. determined it was legit so i just demoted UDP Bomb to level 2(information only) so it wouldn't annoy us.

Cisco Employee

Re: UDP Bomb

We've not heard of a large increase in this alarm's false positive rate before. Could either of the gentlemen please email or post what IDS version they are running? Also, a general idea of what your Windows network looks like? what software version are you running predominately, whats the domain structure if any (NT4, Win2K AD, XP, .NET???) , predominate client? I'm wondering if something changed in XP or .NET servers that is causing this.

Scott C.

scothrel@cisco.com

New Member

Re: UDP Bomb

Might have my own answer. It might be our Norton AV mgr. polling all clients. Checking.

New Member

Re: UDP Bomb

I've seen it trigger on the use of Cisco's VPN client software......

1175
Views
0
Helpful
4
Replies
CreatePlease to create content