[Snort-sigs] RE: rpc endpoint mapper
snort at ...3020...
Thu Mar 10 17:03:22 EST 2005
Sorry, it's actually port 135 that is specified in sid:2192
From: Lee Clemens
Sent: Thursday, March 10, 2005 5:51 PM
To: snort-sigs at lists.sourceforge.net
Subject: rpc endpoint mapper
I have noticed a lot of people sending bind call_id 127 to port 1025 and am
wondering why there is not a rule for this. There is one (sid:2192) but it
is only for port 139. Can anyone explain why this is?
Shouldn't it be categorized as an information leak if someone is using a
tool like ifids to list accessible interfaces from TCP 1025?
This isn't exactly what they've been doing, but they have been trying to
bind--which I can't see as being a good thing.
More information about the Snort-sigs