RSA enVision^® Discussions

JeffHermans · ‎2009-12-02

Our Network department alerted me that our enVision appliance was sending out a large stream of UDP-137 NetBIOS Name Query (NBSTAT) requests to external/public IP addresses. When I verified this on the appliance using a packet capture, I can't match the destination IP addresses with anything related to log data enVision is processing (i.e. enVision attempting to resolve the name of the destination IP address).

We're seeing around 2,000 of these packets every minute.

Is anyone seeing the same on their appliance?

JeffHermans · ‎2009-12-07

Just found KB articles a36602 and a36589 which discuss this issue. Disabling NetBIOS over TCP on the network interfaces fixed the issue.

RSAAdmin · ‎2010-03-08

Im sure this is due to the fact it is trying to resolve the IP addresses.

JeffHermans · ‎2010-03-08

At first I figured it was attempting to put a name to an address that it found as a result of a event log entry, but that didn't seem to be the case. It was attempting to do reverse name lookups on addresses that I couldn't find anywhere in the database and I never put in much time to determine why it was attempting to resolve those addresses.

RSAAdmin · ‎2010-03-08

Thanks. This solved the problem we were having.

RSA enVision® Discussions

enVision sending out UDP 137 NetBIOS Name Query Requests

RSA enVision^® Discussions