Snort mailing list archives
Re: spp_rpc_decode
From: Jeremy Hewlett <jh () sourcefire com>
Date: Fri, 5 Dec 2003 21:18:04 -0500
On Wed, Dec 03, Schmehl, Paul L wrote:
I'm getting Incomplete RPC segment alerts as well as Multiple RPC Records alerts. I've read the manual and searched the archives, and I know how to disable them, but I can't find any information on what those alerts mean.
Josh Berry's definition of these is pretty good, so I won't rehash that. You might also find RFC1831 and Robert Graham's Sidestep tool (the rpc evasion part) interesting to look at.
Since you can configure the ports the preprocessor decodes traffic on, I would assume that 111 and 32771 are used in order to cover both "standard" and SUN RPC traffic. Is this correct?
Yup.
My C skills aren't that great, but I don't see anything in spp_rpc_decode.c that specifically identifies packets as RPC packets as opposed to plain old TCP traffic on a port. Did I miss something? Or is the assumptiont that traffic on those ports *must* be RPC? If so,
Correct.
wouldn't it make more sense to define the ports as src ports only? Or am I so clueless that I've completely missed the point?
As clients would be sending requests/attacks/whatever to these ports, making it src only defeats the normalization effort. ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_rpc_decode Schmehl, Paul L (Dec 03)
- Message not available
- Re: spp_rpc_decode Josh Berry (Dec 03)
- Message not available
- Re: spp_rpc_decode Jeremy Hewlett (Dec 05)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)
- Re: spp_rpc_decode Chris Green (Dec 06)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)