NetBIOS UDP 137 for reverse name resolution ?

["daniele.muscetta () libero it" <daniele.muscetta () libero it>]

I have been using Snort and Acid for a very small time, so most likely 
I still don't know enough about them...
I am running the Win32 port (sigh, sob! i know it would be better on 
linux, but i'll see if i can get another -dedicated- machine, ok?)

When an IP address that shows up in ACID cannot be resolved to its 
FQDN, I have noticed that (most likely due to the resolver of the win 
box) the box does not do only "normal" DNS resolution, but it also 
tries to connect to the attacker on port UDP 137 (netbios name server). 
then, since the firewall filters those ports out, i get LOADS of false 
positives as the following:

[snort/402]  ICMP Destination Unreachable (Port Unreachable)

which are VERY annoying, especially because THE MORE i use ACID, the 
more alerts of this kind i keep getting... and the more alerts are in 
the DB, the more it slows down, etc, etc....

does anyone knows how to disable this behaviour WITHOUT having to 
disable the use of netbios from the machine (which i need for other 
stuff) ?

Kind Regards,

Daniele Muscetta



-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future of
Java(TM) technology. Join the Java Community Process(SM) (JCP(SM))
program now. http://ad.doubleclick.net/clk;4699841;7576301;v?
http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users