05-29-2002 06:41 AM - edited 03-08-2019 10:47 PM
Getting a ton of these alarms, any ideas why or how to prevent? I assume port 137 broadcasts are normal Windows operation. I wouldn't think that should trigger an alarm. The sensor is on a LAN segment with servers keeping an eye on traffic from other LANs to these servers.
p.s. I know I can filter out the alarm on the sensor.
>>>>>>
2002/05/28 12:10:34
Source: 192.168.250.114:137 Destination: 192.168.250.255:137
Signature: 4050:0 UDP Bomb 2
NSDB: /nsdb/expsig_4050.html
05-29-2002 06:49 AM
I get the same darned thing.. Thousands upon thousands.. determined it was legit so i just demoted UDP Bomb to level 2(information only) so it wouldn't annoy us.
05-29-2002 10:00 AM
We've not heard of a large increase in this alarm's false positive rate before. Could either of the gentlemen please email or post what IDS version they are running? Also, a general idea of what your Windows network looks like? what software version are you running predominately, whats the domain structure if any (NT4, Win2K AD, XP, .NET???) , predominate client? I'm wondering if something changed in XP or .NET servers that is causing this.
Scott C.
05-29-2002 11:55 AM
Might have my own answer. It might be our Norton AV mgr. polling all clients. Checking.
05-29-2002 01:47 PM
I've seen it trigger on the use of Cisco's VPN client software......
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide