Problem with Norton - did I do a bad thing?

[couture57]

After using uTorrent for a couple of months, I have suddenly gotten 5 "intrusion blocks" in the last few hours. NIS seems to be saying that it is MY machine that is attacking a machine that is connected as a peer. The log reads as follows:

Details: Attempted Intrusion "MS Windows H.323 BO (2)" from your machine against _._._._ (a machine in my connected peer list) was detected and blocked.

Intruder: ______(name and local address of my machine).

Risk Level: High.

Protocol: TCP.

Attacked IP: __.__._.__. (the peer)

Attacked Port: 1720.

After searching this forum, I configured NIS to ignore "MS Windows H.323 BO (1)" and "MS Windows H.323 BO (2)". Was that the best solution? I get the impression from reading other posts related to NIS that this is an unnecessary block, but I don't want to leave myself open to any REAL threats, and I am especially concerned that it seems to indicate it is ME that is doing the attacking!

Any advice would be appreciated. I know that many people seem to think the NIS is junk and should be replaced, but it works best for me for a variety of reasons. It seems to get along well with PeerGuardian and my network, so why mess with a (usually!) good thing?

[Ultima]

Happens because you're using port 1720 -- the default port used for NetMeeting. Any reason you're using that port?

[couture57]

Perhaps it was the other computer using that port? I have to admit I don't totally understand ports, but I have uTorrent set to only use 30065 and not a random port, since I had to configure my router to deal with it.

eta: Okay, I'm learning - I just checked and apparently the outgoing port I was using at the time was 2393. The 30065 is my incoming port.

I think the 1720 refers to the other machine (the peer) because it shows that as the "attacked port" right after it shows his ip as the "attacked ip".

[Ultima]

The peer must be using port 1720 as his listening port then. In any case, it can only be labeled as NIS misunderstanding.

[couture57]

Thanks for the clarification and your assistance. I guess I am safe to leave my NIS like it is, blocking those two "threats".

Too bad the other person doesn't know he's using a vulnerable port.

[Ultima]

He's not using a vulnerable port. It's only as vulnerable as the application listening on the port, and µTorrent isn't vulnerable. It's just NIS's heuristic detection thinking that any application that attempts to connect to port 1720 on someone else's computer is being malicious. The reason some people use port 1720 is because there was a time when that port was unblocked by Rogers, and several other ISPs. Those days are long gone, and the port gets throttled by most ISPs nowadays, but people just don't bother changing sometimes.

[couture57]

I understand, and that makes sense. I did a Whois on his ip, and it is Rogers.