[Snort-sigs] RE: rpc endpoint mapper

Lee Clemens snort at ...3020...
Thu Mar 10 17:03:22 EST 2005


Sorry, it's actually port 135 that is specified in sid:2192

-----Original Message-----
From: Lee Clemens 
Sent: Thursday, March 10, 2005 5:51 PM
To: snort-sigs at lists.sourceforge.net
Subject: rpc endpoint mapper

Hello everyone,

I have noticed a lot of people sending bind call_id 127 to port 1025 and am
wondering why there is not a rule for this. There is one (sid:2192) but it
is only for port 139. Can anyone explain why this is? 

Shouldn't it be categorized as an information leak if someone is using a
tool like ifids to list accessible interfaces from TCP 1025?

This isn't exactly what they've been doing, but they have been trying to
bind--which I can't see as being a good thing.

--Lee






More information about the Snort-sigs mailing list