Re: spp_rpc_decode

[Jeremy Hewlett <jh () sourcefire com>]

On Wed, Dec 03, Schmehl, Paul L wrote:
> I'm getting Incomplete RPC segment alerts as well as Multiple RPC
> Records alerts.  I've read the manual and searched the archives, and I
> know how to disable them, but I can't find any information on what those
> alerts mean.

Josh Berry's definition of these is pretty good, so I won't rehash
that. You might also find RFC1831 and Robert Graham's Sidestep tool
(the rpc evasion part) interesting to look at.

> Since you can configure the ports the preprocessor decodes traffic on, I
> would assume that 111 and 32771 are used in order to cover both
> "standard" and SUN RPC traffic.  Is this correct?

Yup.

> My C skills aren't that great, but I don't see anything in
> spp_rpc_decode.c that specifically identifies packets as RPC packets as
> opposed to plain old TCP traffic on a port.  Did I miss something?  Or
> is the assumptiont that traffic on those ports *must* be RPC?  If so,

Correct.

> wouldn't it make more sense to define the ports as src ports only?  Or
> am I so clueless that I've completely missed the point?

As clients would be sending requests/attacks/whatever to these ports,
making it src only defeats the normalization effort.


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users