05-29-2002 06:41 AM - edited 03-08-2019 10:47 PM
Getting a ton of these alarms, any ideas why or how to prevent? I assume port 137 broadcasts are normal Windows operation. I wouldn't think that should trigger an alarm. The sensor is on a LAN segment with servers keeping an eye on traffic from other LANs to these servers.
p.s. I know I can filter out the alarm on the sensor.
>>>>>>
2002/05/28 12:10:34
Source: 192.168.250.114:137 Destination: 192.168.250.255:137
Signature: 4050:0 UDP Bomb 2
NSDB: /nsdb/expsig_4050.html
05-29-2002 06:49 AM
I get the same darned thing.. Thousands upon thousands.. determined it was legit so i just demoted UDP Bomb to level 2(information only) so it wouldn't annoy us.
05-29-2002 10:00 AM
We've not heard of a large increase in this alarm's false positive rate before. Could either of the gentlemen please email or post what IDS version they are running? Also, a general idea of what your Windows network looks like? what software version are you running predominately, whats the domain structure if any (NT4, Win2K AD, XP, .NET???) , predominate client? I'm wondering if something changed in XP or .NET servers that is causing this.
Scott C.
05-29-2002 11:55 AM
Might have my own answer. It might be our Norton AV mgr. polling all clients. Checking.
05-29-2002 01:47 PM
I've seen it trigger on the use of Cisco's VPN client software......
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: