netbios-dgm hits

Every few minutes my firewall gets hit with netbios-dgm hits. Not sure what
is causing this. It is trying to connect servers which are not even on the
network. Scanvenged dns and wns, restarted machice, cleared cache from the
machine but nothing works.

Here is the output log from pix filewall.. (pasted only three lines but
there are hundrends like this getting generated)
xx.41 seems to be generating this but not sure what program does it. any
help would be appreciated.

Unknown 10.xx.xx.6 Unknown 3 26th Feb 2007, 00:00:00 %PIX-4-106023: Deny tcp
src inside:10.xx.xx.41/139 dst outside:10.1.1.6/14636 by access-group
"acl-outbound"
Unknown 10.xx.xx.20 netbios-dgm 3 26th Feb 2007, 00:00:00 %PIX-2-106006:
Deny inbound UDP from 10.xx.xx.41/138 to 10.xx.xx.xx/138 on interface inside
Unknown 10.xx.xx.xx netbios-dgm 3 26th Feb 2007, 00:00:00 %PIX-2-106006:
Deny inbound UDP from 10.xx.xx.41/138 to 10.xx.xx.xx/138 on interface inside

Looks to be a NetBIOS storm from inside. I would start
with the 10.xx.xx.41 machine. UDP 137, 138 and TCP
139 are primarily used for authentication.

"Knowledge" <(E-Mail Removed)> wrote in message news:..
> Every few minutes my firewall gets hit with netbios-dgm hits. Not sure
> what
> is causing this. It is trying to connect servers which are not even on
> the
> network. Scanvenged dns and wns, restarted machice, cleared cache from
> the
> machine but nothing works.
>
> Here is the output log from pix filewall.. (pasted only three lines but
> there are hundrends like this getting generated)
> xx.41 seems to be generating this but not sure what program does it. any
> help would be appreciated.
>
> Unknown 10.xx.xx.6 Unknown 3 26th Feb 2007, 00:00:00 %PIX-4-106023: Deny
> tcp
> src inside:10.xx.xx.41/139 dst outside:10.1.1.6/14636 by access-group
> "acl-outbound"
> Unknown 10.xx.xx.20 netbios-dgm 3 26th Feb 2007, 00:00:00 %PIX-2-106006:
> Deny inbound UDP from 10.xx.xx.41/138 to 10.xx.xx.xx/138 on interface
> inside
> Unknown 10.xx.xx.xx netbios-dgm 3 26th Feb 2007, 00:00:00 %PIX-2-106006:
> Deny inbound UDP from 10.xx.xx.41/138 to 10.xx.xx.xx/138 on interface
> inside
>
>

yes .41 is a Domain controller but what do I do to start looking for
information? I have looked into obivious programs none of which is
generating it.

Thanks

"Michael Giorgio - MS MVP" wrote:

> Looks to be a NetBIOS storm from inside. I would start
> with the 10.xx.xx.41 machine. UDP 137, 138 and TCP
> 139 are primarily used for authentication.
>
> "Knowledge" <(E-Mail Removed)> wrote in message news:..
> > Every few minutes my firewall gets hit with netbios-dgm hits. Not sure
> > what
> > is causing this. It is trying to connect servers which are not even on
> > the
> > network. Scanvenged dns and wns, restarted machice, cleared cache from
> > the
> > machine but nothing works.
> >
> > Here is the output log from pix filewall.. (pasted only three lines but
> > there are hundrends like this getting generated)
> > xx.41 seems to be generating this but not sure what program does it. any
> > help would be appreciated.
> >
> > Unknown 10.xx.xx.6 Unknown 3 26th Feb 2007, 00:00:00 %PIX-4-106023: Deny
> > tcp
> > src inside:10.xx.xx.41/139 dst outside:10.1.1.6/14636 by access-group
> > "acl-outbound"
> > Unknown 10.xx.xx.20 netbios-dgm 3 26th Feb 2007, 00:00:00 %PIX-2-106006:
> > Deny inbound UDP from 10.xx.xx.41/138 to 10.xx.xx.xx/138 on interface
> > inside
> > Unknown 10.xx.xx.xx netbios-dgm 3 26th Feb 2007, 00:00:00 %PIX-2-106006:
> > Deny inbound UDP from 10.xx.xx.41/138 to 10.xx.xx.xx/138 on interface
> > inside
> >
> >
>
>
>

You could use Netmon or another sniffer to capture the data
from that particular server by filtering everything except that
tcp/ip address. Post the details if you want someone to
identify the packets. .

"Knowledge" <(E-Mail Removed)> wrote in message news:
> yes .41 is a Domain controller but what do I do to start looking for
> information? I have looked into obivious programs none of which is
> generating it.
>