Re: Incomplete RPC segment - False Positives...

[Erek Adams <erek () snort org>]

On Fri, 28 Mar 2003, Shawn Duffy wrote:

> I have been running snort for some time now and I am currently running
> snort 1.9.1 (Build 231) and my sigs were updated last on March 5th...
> All of a sudden however... after my last reboot, I am noticing a huge
> amount of alerts for Incomplete RPC Segment and Fragmented RPC Records
> from my mail server, source 993... yes, I am using IMAP-SSL for mail...
> I don't _believe_ anything has changed on the server-side and I know I
> haven't changed anything and I have been using this mail server via
> IMAP-SSL for almost a year now and have never seen this before...
> Anyone know why this would happen or perhaps, has anyone seen this
> before?

1.9.1 had a lot of changes in the RPC decoder.  This is one of the new
alerts that it can generate.  You can disable the alert by using the
'no_alert_incomplete' argument.  Check the snort.conf for details.

As to why it happened after a reboot...  I'd guess you never killed your
pre-1.9.1 copy that was running in memory.  You upgraded the binaries on
your side, but never stopped the process.  Due to the reboot, the new one
finally got started.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users