[Snort-users] rpc endpoint mapper

Lee Clemens snort at ...13080...
Thu Mar 10 23:55:13 EST 2005


Hello everyone,

I have noticed a lot of people sending bind call_id 127 to port 1025 and am
wondering why there is not a rule for this. There is one (sid:2192) but it
is only for port 135. Can anyone explain why this is? 

Shouldn't it be categorized as an information leak if someone is using a
tool like ifids to list accessible interfaces from TCP 1025?

This isn't exactly what they've been doing, but they have been trying to
bind--which I can't see as being a good thing.

--Lee






More information about the Snort-users mailing list