RE: What does this mean?
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 4 Aug 2005 13:19:12 -0700
Bad form, Smee...
The only other way to analyze this is too either use your favorite network
capture tool and watch the external interface until this is logged.
Then you can analyze the traffic to see what's going on.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: adam.staub@xxxxxxxxxxxxxxxx [mailto:adam.staub@xxxxxxxxxxxxxxxx]
Sent: Thursday, August 04, 2005 13:01
To: Jim Harrison
Subject: RE: [isalist] RE: What does this mean?
Jim:
Thanks for the response. That is the weird thing, I'm not using wins at all?
The fields are blank in the Network config?
Adam
-----Original Message-----
From: Jim Harrison [mailto: ]
Sent: Thursday, August 04, 2005 1:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: What does this mean?
http://www.ISAserver.org
You need to learn to read the ISA logs. The details of what each log field
mean are listed in the ISA help and online at
http://support.microsoft.com/default.aspx?scid=kb;en-us;284818.
source-ip == blocked ip. This means it came from your ISA
param#1 == protocol == UDP
param#2 == port == 137
UDP:137 is used for NetBIOS name resolution, which is attempted only when:
- simple names are passed for lookups
- DNS lookups fail
- the host is making a WINS lookup
Because this traffic is destined for a specific server, it's likely a WINS
request.
The question I then pose to you is "why are you usoing an external WINS server?"
BTW, when you see similar traffic destined for ip.add.re.ss:UDP:137 and the
destination IP is a broadcast IP, this is a NB broadcast.
These can be stopped by applying this regvalue:
HKLM\System\CurrentControlSet\NetBT\Parameters\NodeType, DWORD == 0x2 ..and
reboot the ISA, you won't see these generated by the ISA itself any more.
http://support.microsoft.com/?id=160177 refers.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
________________________________________
From: adam.staub@xxxxxxxxxxxxxxxx [mailto:adam.staub@xxxxxxxxxxxxxxxx]
Sent: Thursday, August 04, 2005 11:34
To: [ISAserver.org Discussion List]
Subject: [isalist] What does this mean?
http://www.ISAserver.org
I'm Seeing the following in my IPFilter log: What does it mean? Is somebody
looking for open shares?
I'm 64.113.223.123
date time source-ip destination-ip protocol
param#1 param#2 filter-rule interface
2005-08-04 18:26:03 64.113.223.123 66.49.202.206 Udp 1025
137 BLOCKED 64.113.223.123
2005-08-04 18:26:03 64.113.223.123 66.49.202.206 Udp 1025
137 BLOCKED 64.113.223.123
2005-08-04 18:26:05 64.113.223.123 66.49.202.206 Udp 1025
137 BLOCKED 64.113.223.123
2005-08-04 18:26:06 64.113.223.123 66.49.202.206 Udp 1025
137 BLOCKED 64.113.223.123
2005-08-04 18:26:08 64.113.223.123 66.49.202.206 Udp 1025
137 BLOCKED 64.113.223.123
Thanks,
Adam
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
adam.staub@xxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
*********************************************************************
Note: This E-mail and any attachments may be privileged and confidential and
protected from disclosure. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this message to
the intended recipient, you are hereby notified that any disclosure, copying,
distribution or use of this E-mail and any attachments is strictly prohibited.
If you have received this E-mail in error, please notify us immediately by
returning it to the sender and deleting it from your computer system. Thank you
for your cooperation.
**********************************************************************
All mail to and from this domain is GFI-scanned.
Other related posts:
