Dangermouse 5 Posted December 4, 2016 Share Posted December 4, 2016 I've just noticed this in my firewall log 3/12/2016 9:36:38 PM; An attempt to connect to the Server Service was detected; Source 192.168.1.6:11909; Destination 192.168.1.6:445;TCP; ;System; Obviously this is something internal to my network rather than an external attack, but what is it trying to tell me ? Using ESS version 9 Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 4, 2016 Share Posted December 4, 2016 (edited) Use can read about SMB port 445 here: https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+Day+1+Port+445+SMB+over+TCP/7210/ . Normally, if restricted to your internal network as appears to be your case, such traffic is OK. However, a vulnerability in its use that affects all Win versions was discovered a few months ago: hxxp://www.darkreading.com/vulnerabilities---threats/windows-badtunnel-attack-hijacks-network-traffic/d/d-id/1325875 . So make sure you have applied all Win Updates to date. One possibility for these firewall log entries is you have disabled the "Allow incoming connection to admin shares in SMB protocol" setting in Eset's IDS advanced options settings. This option in reality is only needed for domain environments. However, I have always had this setting disabled and never seen the alerts you posted. -EDIT- If these log entries persist, I would do what is recommended in the DarkReadingRoom article, namely: I suggest you disable the NetBIOS over TCP/IP to prevent BadTunnel attack,” he says. You do so by going into your TCP/IP settings for IPv4 and disabling it there. Edited December 4, 2016 by itman Link to comment Share on other sites More sharing options...
Recommended Posts