2 Replies Latest reply on Jun 18, 2012 2:00 PM by rstevekadish

    Source Port 0

    rstevekadish

      Hi all,

       

      We are using HIPS 7 Firewall to block NetBIOS requests between workstations on the same subnet, which will theoretically slow the spread of malware.  We use the trusted network list to exempt the servers.  Today, I had a user complaining that he couldn't open up a mapped network drive.  After investigating, I found that the HIPS log from his workstation was recording the traffic as coming from source port 0.  Since the rule allowing access to the servers only accounted for high-numbered source ports, he was being blocked.

       

      Port 0 traffic is unusual, and I suspect that there is a difference in the configuration of his workstation.  It also occurred that might be a quirk of HIPS.  Has anyone seen this problem before?  I would appreciate any advice that anyone has for me.

       

      Thanks,

      - Steve

        • 1. Re: Source Port 0
          Kary Tankink

          Source Port 0 might indicate unsupported protocol traffic.  Do you have the Firewall Option "Allow traffic for unsupported Protocols" enabled?  This option will allow unsupported protcol traffic through the Firewall/NDIS drivers, instead of being blocked.

          • 2. Re: Source Port 0
            rstevekadish

            Hi Kary,

             

            Thanks for the response.  Actually HIPS is saying that it is TCP.  The log entry looks like this:

             

            "Blocked Outgoing TCP - Source xx.xx.xx.xx : (0) Destination xx.xx.xx.xx : netbios-ssn (139)"

             

            - Steve