Snort mailing list archives

Previous By Date Next
Previous By Thread Next

rpc endpoint mapper

From: "Lee Clemens" <snort () leeclemens net>
Date: Fri, 11 Mar 2005 02:56:00 -0500

Hello everyone,

I have noticed a lot of people sending bind call_id 127 to port 1025 and am
wondering why there is not a rule for this. There is one (sid:2192) but it
is only for port 135. Can anyone explain why this is? 

Shouldn't it be categorized as an information leak if someone is using a
tool like ifids to list accessible interfaces from TCP 1025?

This isn't exactly what they've been doing, but they have been trying to
bind--which I can't see as being a good thing.

--Lee




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: