UDP Bomb

dmorone · ‎05-29-2002

Getting a ton of these alarms, any ideas why or how to prevent? I assume port 137 broadcasts are normal Windows operation. I wouldn't think that should trigger an alarm. The sensor is on a LAN segment with servers keeping an eye on traffic from other LANs to these servers.

p.s. I know I can filter out the alarm on the sensor.

>>>>>>

2002/05/28 12:10:34

Source: 192.168.250.114:137 Destination: 192.168.250.255:137

Signature: 4050:0 UDP Bomb 2

NSDB: /nsdb/expsig_4050.html

brenden · ‎05-29-2002

I get the same darned thing.. Thousands upon thousands.. determined it was legit so i just demoted UDP Bomb to level 2(information only) so it wouldn't annoy us.

scothrel · ‎05-29-2002

We've not heard of a large increase in this alarm's false positive rate before. Could either of the gentlemen please email or post what IDS version they are running? Also, a general idea of what your Windows network looks like? what software version are you running predominately, whats the domain structure if any (NT4, Win2K AD, XP, .NET???) , predominate client? I'm wondering if something changed in XP or .NET servers that is causing this.

Scott C.

scothrel@cisco.com

dmorone · ‎05-29-2002

Might have my own answer. It might be our Norton AV mgr. polling all clients. Checking.

seth.leone · ‎05-29-2002

I've seen it trigger on the use of Cisco's VPN client software......