Reporter master console is sending traffic on port 137 UDP that is trying to reach external hosts.

Document ID : KB000023043
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:
The RA Console server is sending traffic on port 137 UDP to external hosts outside of your firewall, causing alerts within your security team.

Environment:

RA 9.0 and earlier

 

Cause:

This is normal NetBIOS traffic that occurs when RA is unable to resolve an IP seen in netflow through DNS.

When a name does not resolve, RA tries to connect using NetBIOS to get the machine name of the host.? 

 

Resolution:
To disable NetBIOS in RA:

  1. Remote desktop to the RA master console 

  2. Open up Control Panel --> Network Connections 

  3. Right click on the NIC and select Properties 

  4. Select Internet Protocol (TCP/IP) in the list of items and click Properties.

  5. Click on Advanced

  6. Go to the WINS tab

  7. In the NetBIOS setting box, select Disable NetBIOS over TCP/IP