cancel
Showing results for 
Search instead for 
Did you mean: 
rstevekadish
Level 9

Source Port 0

Hi all,

We are using HIPS 7 Firewall to block NetBIOS requests between workstations on the same subnet, which will theoretically slow the spread of malware.  We use the trusted network list to exempt the servers.  Today, I had a user complaining that he couldn't open up a mapped network drive.  After investigating, I found that the HIPS log from his workstation was recording the traffic as coming from source port 0.  Since the rule allowing access to the servers only accounted for high-numbered source ports, he was being blocked.

Port 0 traffic is unusual, and I suspect that there is a difference in the configuration of his workstation.  It also occurred that might be a quirk of HIPS.  Has anyone seen this problem before?  I would appreciate any advice that anyone has for me.

Thanks,

- Steve

0 Kudos
2 Replies
McAfee Employee

Re: Source Port 0

Source Port 0 might indicate unsupported protocol traffic.  Do you have the Firewall Option "Allow traffic for unsupported Protocols" enabled?  This option will allow unsupported protcol traffic through the Firewall/NDIS drivers, instead of being blocked.

0 Kudos
rstevekadish
Level 9

Re: Source Port 0

Hi Kary,

Thanks for the response.  Actually HIPS is saying that it is TCP.  The log entry looks like this:

"Blocked Outgoing TCP - Source xx.xx.xx.xx : (0) Destination xx.xx.xx.xx : netbios-ssn (139)"

- Steve

0 Kudos