RE: What does this mean?

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 4 Aug 2005 11:50:52 -0700

You need to learn to read the ISA logs.  The details of what each log field 
mean are listed in the ISA help and online at 
http://support.microsoft.com/default.aspx?scid=kb;en-us;284818.

source-ip == blocked ip.  This means it came from your ISA
param#1 == protocol == UDP
param#2 == port == 137
UDP:137 is used for NetBIOS name resolution, which is attempted only when:
- simple names are passed for lookups
- DNS lookups fail
- the host is making a WINS lookup

Because this traffic is destined for a specific server, it's likely a WINS 
request.
The question I then pose to you is "why are you usoing an external WINS server?"


BTW, when you see similar traffic destined for ip.add.re.ss:UDP:137 and the 
destination IP is a broadcast IP, this is a NB broadcast.
These can be stopped by applying this regvalue:
HKLM\System\CurrentControlSet\NetBT\Parameters\NodeType, DWORD == 0x2
..and reboot the ISA, you won't see these generated by the ISA itself any more.

http://support.microsoft.com/?id=160177 refers.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------

________________________________________
From: adam.staub@xxxxxxxxxxxxxxxx [mailto:adam.staub@xxxxxxxxxxxxxxxx] 
Sent: Thursday, August 04, 2005 11:34
To: [ISAserver.org Discussion List]
Subject: [isalist] What does this mean?

http://www.ISAserver.org

I'm Seeing the following in my IPFilter log:  What does it mean?  Is somebody 
looking for open shares? 
I'm 64.113.223.123  

date            time            source-ip       destination-ip  protocol        
param#1 param#2 filter-rule     interface
2005-08-04      18:26:03        64.113.223.123  66.49.202.206   Udp     1025    
        137             BLOCKED 64.113.223.123
2005-08-04      18:26:03        64.113.223.123  66.49.202.206   Udp     1025    
        137             BLOCKED 64.113.223.123
2005-08-04      18:26:05        64.113.223.123  66.49.202.206   Udp     1025    
        137             BLOCKED 64.113.223.123
2005-08-04      18:26:06        64.113.223.123  66.49.202.206   Udp     1025    
        137             BLOCKED 64.113.223.123
2005-08-04      18:26:08        64.113.223.123  66.49.202.206   Udp     1025    
        137             BLOCKED 64.113.223.123

Thanks, 
 Adam 



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.

Other related posts:

• » What does this mean?
• » What does this mean?
• » RE: What does this mean?
• » RE: What does this mean?
• » RE: What does this mean?

1. Home
2. isalist
3. Archive
4. 08-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---