Snort mailing list archives
RPC Portmap Request
From: Mohd Mukrim Che Mohamad Zulkifly <mukrim.zulkifly () bit com my>
Date: Fri, 8 Apr 2011 13:01:05 +0800
Hi, A few days ago, I received two Impact Flag 1 event alerts triggered by this rule Rule : alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:20; ) Only two events were triggered, which made it suspicious. If it's an important service in the network, then a lot of events should have been triggered. Is it normal for this portmap request to happen? Thanks in advance. ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- RPC Portmap Request Mohd Mukrim Che Mohamad Zulkifly (Apr 08)
- Re: RPC Portmap Request Joel Esler (Apr 08)
- Re: RPC Portmap Request Mohd Mukrim Che Mohamad Zulkifly (Apr 10)
- Re: RPC Portmap Request Joel Esler (Apr 11)
- Re: RPC Portmap Request Mohd Mukrim Che Mohamad Zulkifly (Apr 10)
- Re: RPC Portmap Request Joel Esler (Apr 08)