Snort mailing list archives
Re: RPC Portmap Request
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 8 Apr 2011 11:36:16 -0400
Okay, so you received an Impact Flag one, which tells me you are running Sourcefire. So, you have the Operating System in question, the port is open, the service on the port is correct, and the service is potentially vulnerable to this condition (the makings of an impact 1), so, this is someone external to your network attempted to connect to the ttdbserv on port 111 on your network. Is the external network a known IP? Is that IP authorized to connect to the destination IP (HOME_NET) in question? Or is it a random connection out there on the internet? Do you have a business need to have port 111 open from the internet to your servers? I'd probably start by blocking the ports. Joel On Fri, Apr 8, 2011 at 1:01 AM, Mohd Mukrim Che Mohamad Zulkifly < mukrim.zulkifly () bit com my> wrote:
Hi, A few days ago, I received two Impact Flag 1 event alerts triggered by this rule Rule : alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:20; ) Only two events were triggered, which made it suspicious. If it's an important service in the network, then a lot of events should have been triggered. Is it normal for this portmap request to happen? Thanks in advance. ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
-- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- RPC Portmap Request Mohd Mukrim Che Mohamad Zulkifly (Apr 08)
- Re: RPC Portmap Request Joel Esler (Apr 08)
- Re: RPC Portmap Request Mohd Mukrim Che Mohamad Zulkifly (Apr 10)
- Re: RPC Portmap Request Joel Esler (Apr 11)
- Re: RPC Portmap Request Mohd Mukrim Che Mohamad Zulkifly (Apr 10)
- Re: RPC Portmap Request Joel Esler (Apr 08)