Cisco Mars event question
Hey guys, I currently work in security and I have been seeing quite a bit of netbios traffic coming from 2 IP addresses consistently but the targets change in sequential order but all the target ports are being reported in cisco mars as port 139. I contacted the local admin at the location that I am seeing these events and according to them the 2 IP addresses that are the source IP's are web servers that have print servers on them. I had the local admin do an update on the antivirus and scan both boxes in question and according to them nothing was found. I am just curious if anyone would see this traffic like I am and think that it is a ping sweep or if that could be normal traffic given the devices I have explained that are sending out this traffic? Seems a little odd that this is the only location that I am seeing this traffic from and all other sites that have similar infrastructure are not showing any of this traffic.
Comments
-
JDMurray
Admin Posts: 13,089 Admin
Those two hosts probably have software configured to periodically look for NetBIOS services on the network, or are advertising file and printer sharing. Check what services are running are running on the hosts and see if any of them use NetBIOS over TCP/IP.