ports running RPC svcs (was Re: disabling the new spew of spp_rpc_decode alerts)

[Bennett Todd <bet () rahul net>]

2003-03-06T15:50:31 Jason Haar:
> If you know you don't have any RPC servers running on port 32771, removing
> that number will probably remove *all* the false positives too...

This reminds me of something.

I dunno if anybody cares, but a possibly interesting port to include
for an RPC service would be 17185/udp, which sometimes carries WDB,
an ONCRPC-transported remote debugger for Wind River Systems'
vxWorks embedded OS. Not all vendors disable that when they ship
product; I've found it enabled in an 802.11b access point (O The
Embarrassment:-), and Google turned up reports of it enabled on
various cable or dsl routers.

It might make sense for snort to not ship with 32771 included by
default. Or, if that's going to be included, perhaps it would make
sense to include the other ports that nmap-services lists as
possible rpc ports:

sunrpc            111/tcp    # portmapper, rpcbind
sunrpc            111/udp    # portmapper, rpcbind
rpc2portmap       369/tcp    # 
rpc2portmap       369/udp    # 
courier           530/tcp    # rpc
courier           530/udp    # rpc
sometimes-rpc2    737/udp    # Rusersd on my OpenBSD box
oftep-rpc         950/tcp    # Often RPC.statd (on Redhat Linux)
sometimes-rpc1    1012/udp   # This is rstatd on my openBSD box
wdbrpc            17185/udp  # vxWorks WDB remote debugging ONCRPC
sometimes-rpc3    32770/tcp  # Sometimes an RPC port on my Solaris box
sometimes-rpc4    32770/udp  # Sometimes an RPC port on my Solaris box
sometimes-rpc5    32771/tcp  # Sometimes an RPC port on my Solaris box (rusersd)
sometimes-rpc6    32771/udp  # Sometimes an RPC port on my Solaris box (rusersd)
sometimes-rpc7    32772/tcp  # Sometimes an RPC port on my Solaris box (status)
sometimes-rpc8    32772/udp  # Sometimes an RPC port on my Solaris box (status)
sometimes-rpc9    32773/tcp  # Sometimes an RPC port on my Solaris box (rquotad)
sometimes-rpc10    32773/udp  # Sometimes an RPC port on my Solaris box (rquotad)
sometimes-rpc11    32774/tcp  # Sometimes an RPC port on my Solaris box (rusersd)
sometimes-rpc12   32774/udp  # Sometimes an RPC port on my Solaris box (rusersd)
sometimes-rpc13   32775/tcp  # Sometimes an RPC port on my Solaris box (status)
sometimes-rpc14   32775/udp  # Sometimes an RPC port on my Solaris box (status)
sometimes-rpc15   32776/tcp  # Sometimes an RPC port on my Solaris box (sprayd)
sometimes-rpc16   32776/udp  # Sometimes an RPC port on my Solaris box (sprayd)
sometimes-rpc17   32777/tcp  # Sometimes an RPC port on my Solaris box (walld)
sometimes-rpc18   32777/udp  # Sometimes an RPC port on my Solaris box (walld)
sometimes-rpc19   32778/tcp  # Sometimes an RPC port on my Solaris box (rstatd)
sometimes-rpc20   32778/udp  # Sometimes an RPC port on my Solaris box (rstatd)
sometimes-rpc21   32779/tcp  # Sometimes an RPC port on my Solaris box
sometimes-rpc22   32779/udp  # Sometimes an RPC port on my Solaris box
sometimes-rpc23   32780/tcp  # Sometimes an RPC port on my Solaris box
sometimes-rpc24   32780/udp  # Sometimes an RPC port on my Solaris box
sometimes-rpc25   32786/tcp  # Sometimes an RPC port (mountd)
sometimes-rpc26   32786/udp  # Sometimes an RPC port
sometimes-rpc27   32787/tcp  # Sometimes an RPC port dmispd (DMI Service Provider)
sometimes-rpc28   32787/udp  # Sometimes an RPC port

-Bennett

Attachment: _bin
Description: