Snort mailing list archives
Re: spp_rpc_decode
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 05 Dec 2003 21:02:19 -0600
--On Friday, December 05, 2003 9:18 PM -0500 Jeremy Hewlett <jh () sourcefire com> wrote:
Thanks for the pointers, Jeremy. I've already studied the RFC some, although I must confess I sometimes have trouble plowing through those, but I'll look for Robert's tool.Josh Berry's definition of these is pretty good, so I won't rehash that. You might also find RFC1831 and Robert Graham's Sidestep tool (the rpc evasion part) interesting to look at.
OK. I guess I don't fully comprehend the process of normalization. I thought I understood it to me the reassembly of fragmented packets as well as the conversion of "special" characters to the "standard" expected input (removal of unicode, etc.) Is my understanding incorrect? Does it require both sides of the conversation to normalize the input to those ports?wouldn't it make more sense to define the ports as src ports only? Or am I so clueless that I've completely missed the point?As clients would be sending requests/attacks/whatever to these ports, making it src only defeats the normalization effort.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_rpc_decode Schmehl, Paul L (Dec 03)
- Message not available
- Re: spp_rpc_decode Josh Berry (Dec 03)
- Message not available
- Re: spp_rpc_decode Jeremy Hewlett (Dec 05)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)
- Re: spp_rpc_decode Chris Green (Dec 06)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)