Snort mailing list archives
Re: spp_rpc_decode
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Wed, 05 Mar 2003 15:13:13 -0600
One of my web servers triggers the rpc alerts when it sends out information on port 32771. I don't know if it is triggering the alert every time that port is accessed but it has triggered the alert many times today:
(spp_rpc_decode) Fragmented RPC Records 425 (spp_rpc_decode) Incomplete RPC segment 374It looks like the preprocessor simply uses port 32771 and can't differentiate between real rpc traffic and traffic that just happens to be using that port.
Ken At 02:21 PM 3/5/03 -0600, Demetri Mouratis wrote:
As a few others on the list have mentioned, Snort 1.9.1 (Build 231) is throwing alot of (spurious?) RPC alerts. I did some correlation in ACID and found the following:
[snip]
[snort/4] (spp_rpc_decode) Incomplete RPC segment #6-25341| [2003-03-05 06:02:16-06] 64.224.219.122:25 -> 10.1.64.7:32771 Dport 32771 keeps coming up. From my snort.conf: preprocessor rpc_decode: 111 32771 On my 10.1.64.0/24 net, I am sending smtp traffic to the internet. Whenever a smtp connection happens to goe out on 32771, spp_rpc_decode complains on the return traffic back to 32771. Hope this helps describe the issue. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Brother Kenneth Arnold System Administrator Information Technology Services Christian Brothers University (901) 321-4333 -------------------------------------------------------This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_rpc_decode Demetri Mouratis (Mar 05)
- <Possible follow-ups>
- Re: spp_rpc_decode Kenneth G. Arnold (Mar 05)