Snort mailing list archives
Snort 1.9.1 RCP preprocessor pretty noisy
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 5 Mar 2003 09:47:49 +1300
Since upgrading to 1.9.1, our Snort IDS's have been chattering (100's) on about RPC fragments, incomplete requests,etc. All of them have actually been caused by normal Web and SMTP transactions, which just happen to be sending back to port 32771 - nothing to do with RPC at all! e.g. 2003-03-04T12:14:40+0000 sort-ids auth alert snort: [106:4:1] (spp_rpc_decode) Incomplete RPC segment <eth1> {TCP} 212.209.238.5:25 -> 1.x.y.z:32771 Has this security hole made this RPC preprocessor be pushed out before it was ready? I never got such alerts with 1.9.0. Snort 1.9.1 under RH Linux. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9.1 RCP preprocessor pretty noisy Jason Haar (Mar 04)