[Snort-sigs] rpc endpoint mapper
snort at ...3020...
Thu Mar 10 14:50:15 EST 2005
I have noticed a lot of people sending bind call_id 127 to port 1025 and am
wondering why there is not a rule for this. There is one (sid:2192) but it
is only for port 139. Can anyone explain why this is?
Shouldn't it be categorized as an information leak if someone is using a
tool like ifids to list accessible interfaces from TCP 1025?
This isn't exactly what they've been doing, but they have been trying to
bind--which I can't see as being a good thing.
More information about the Snort-sigs