welcome to my space

03/14/2010 (1:36 am)

Netbios not following the rules !!!

Filed under: nappedeptrole.com edit
  • I am using the latest 2.1 version of Outpost on WinXP Pro and seem to be having issues with the trusted/local network not being trusted. Specifically, other XP workstations get blocked by Outpost as a hacker attack.

    Now Outpost has correctly detected my 10.10.10.x LAN and I have checked the "trusted" box which looks like by default enable netbios over the LAN and that is what should happen, but is not the case.

    Now I know that the LAN settings take precidence over the system/global rules that I can set up, but I even added rules to allow the 10.10.10.x all incoming and outgoing TCP and UDP on any port !

    Still the XP mackines get picked up as hacker IPs and occasionally as doing a port scan as well. The funny thing is that I do have a Win2k3 Server and that works as it should. It comes up as trusted zone...etc. BTW, the XP workstations, I have tried with multiple builds and fresh installations as well. ---No firewall enabled; SP1 & SP2.

    10.10.10.105 & 10.10.10.24 are the two XP workstations that I am trying to get working here to do f&p sharing ont he host. Look at some of the logs below:


    Blocked Log:
    8:56:50 AM SYSTEM TCP 10.10.10.105 1207 Block Hacker IP After Attack
    8:56:34 AM NETBIOS UDP 10.10.10.105 NETBIOS_DGM Block Hacker IP After Attack
    8:56:29 AM NETBIOS TCP 10.10.10.105 1206 Block Hacker IP After Attack
    8:56:29 AM NETBIOS TCP 10.10.10.105 1205 Block Hacker IP After Attack


    Netbios allowed log excerpt: (Funny it says it allows the IP!!!!)
    9:09:41 AM 10.10.10.24 IN
    9:09:41 AM 10.10.10.24 IN

    Allowed today log excerpt: (It says it was allowed also)
    9:09:41 AM NETBIOS TCP 10.10.10.24 1173 Trusted Zone
    9:09:41 AM NETBIOS TCP 10.10.10.24 1172 Trusted Zone

    Alert Tracker Log:
    9:20:14 AM Attack Detection Report Port Scanning has been detected from 10.10.10.105 (scanned ports:TCP (MICROSOFT_DS))
    9:09:41 AM Attack Detection Report Port Scanning has been detected from 10.10.10.24 (scanned ports:TCP (MICROSOFT_DS))
    3:28:42 AM Attack Detection Report Port Scanning has been detected from 10.10.10.105 (scanned ports:TCP (31308, 27394, 7669, 25885, 44441, 2112))
    3:16:12 AM Attack Detection Report Port Scanning has been detected from 10.10.10.24 (scanned ports:TCP (MICROSOFT_DS, NETBIOS_SESSION))

    Any assistance would be greatly appreciated.
    -MV


  • Welcome to the forums Mvincent,

    This is most likely due to the Attack Detection plugin. Plugins operate independently of Outpost rules so it can even block Trusted Addresses if their traffic matches its parameters (i.e. attempting to open too many incoming connections).

    Try Disabling the Attack Detection plugin and, if this resolves the problem, add your trusted systems to the protect.lst file as detailed in section G4 of 1.







    • #If you have any other info about this subject , Please add it free.#
    Your name:
    E-mail:
    Telphone:

    Your comments:


    If you have any other info about Netbios not following the rules !!! , Please add it free.