[Snort-sigs] SID 2492 - Question

Michael Sconzo msconzo at ...1371...
Mon Aug 16 09:33:03 EDT 2004


http://www.snort.org/snort-db/sid.html?sid=2492

It appears to be looking for bind attemps on port 139 (same with SID: 2493).
And SID 2491 looks for bind attempts on port 445, yet they activate the SIDS
2351 and 2352 (which both look for traffic on port 135).

So, am I understanding it right, that first the worm/exploit/whatever
will attempt to 'bind' to port 139 or 445, then send the exploit
over port 135?

Thanks,
-=Mike

-- 
The New Testament offers the basis for modern computer coding theory,
in the form of an affirmation of the binary number system.
        But let your communication be Yea, yea; nay, nay: for
        whatsoever is more than these cometh of evil.
                -- Matthew 5:37




More information about the Snort-sigs mailing list