Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Suspicious port 445 internal to various 10.1.x.x external denied
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Suspicious port 445 internal to various 10.1.x.x extern... - 20.Oct.2004 7:22:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
I have many clients, my pc included, that continually log
Destination IP: (various 10.1.x.x), Destination Port: 445, Protocol: Microsoft CIFS (TCP), Denied Connection, Default Rule, Client IP: (Client IP), Source Network: Internal, Destination Network: External, HTTP Method: <blank>, URL: <blank>.
My ISA server is on the 10.1.0.0/16 range. What is scanning this range and how can I stop it? Or should I? Is this something the Firewall or SecureNAT Clients are doing?
Thank you.
tjcarst
|
|
|
|
|
RE: Suspicious port 445 internal to various 10.1.x.x ex... - 20.Oct.2004 10:32:00 PM
|
|
|
Jason Jones
Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
This is normal traffic for MS machines broadcasting and trying to find other windows machines - it is normal.
If you dont want your logs to fill with these entires then create a cleanup rule just above your deny rule and turn off logging of unwanted traffic.
JJ
|
|
|
|
|
RE: Suspicious port 445 internal to various 10.1.x.x ex... - 22.Oct.2004 9:00:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Thanks, Jason. What I found suspicious was that it is only my machine doing this at the time.
I am on a 172.16.x.x/16 range and it is looking at 10.1.x.x/16 which is where the external port of the ISA resides (there's another hardware firewall between ISA and the internet).
It is always going to be stopped by the default Deny rule, I don't allow from internal to external using port 445. Internet access is only allowed if member of a specific group. Many users are not allowed access outside of local lan. Do you suggest I also turn off logging of Deny? Thanks.
tjcarst
[ October 22, 2004, 09:11 PM: Message edited by: tjcarst ]
|
|
|
|
|
RE: Suspicious port 445 internal to various 10.1.x.x ex... - 24.Oct.2004 5:29:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
No - this is not normal traffic. Windows machines do indeed Broadcast but only perform a NetBIOS broadcast on UDP 138 and then only to the Local Subnet. You should scan that system to see if it has an infection or not.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
