Protocol poisoning detected by asset from 0.0.0.0

jvan_herck · July 4, 2022, 1:55pm

We see from time to time an incident popping up with an asset (with agent) which detecting protocol poisoning: netbios from 0.0.0.0 with a random query.

Has anyone any idea how to investigate this and what it exactly means. Help would be appreciated.

Kind regards,

Jean-Marc

dreadpir8robots · July 4, 2022, 10:04pm

Several possibilities for 0.0.0.0:

“any/all interfaces on the local machine” (e.g. many server apps may bind to 0.0.0.0:)
device not connected to a network
DHCP request from a device which hasn’t yet been assigned an IP address
maybe other things

A few questions which might help you/someone narrow down what’s going on here:

Is it only this one asset where the issue is detected?
Does the detection of NetBIOS poisoning coincide with DHCP lease renewal on the asset?
What makes you describe the request as random? Could you share any further details?

SDavis · July 8, 2022, 1:52pm

I have also seen this alert fire many times when an endpoint is connected to a non-managed wifi network that has some misconfigurations in it, was always something I asked the customer “is the asset connected to a public wifi, if it is, have them disconnect”