[Snort-devel] rpc statdx

mike maxwell mmaxwell at ...1450...
Thu Jun 27 04:56:04 EDT 2002


i was just wondering why rpc: 100024 was removed from the rpc statdx
rule.. i had a dns named.version and then a dsn iquery followed by a
trigerring of the statdx rule show up on my sensor. upon futher
investingation, the dest prot of the rpc scan was udp 53 and there was
no rpc: 100024 in the packet. was this changed for a reason or have i
just found a new tool to overflow bind servers.
-- 
*******************************
*  Mike Maxwell               *
*  System Manager--GMA        *
*  mmaxwell at ...1450...         *
*******************************





More information about the Snort-devel mailing list