Snort mailing list archives

Re: spp_rpc_decode

From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Wed, 05 Mar 2003 15:13:13 -0600

One of my web servers triggers the rpc alerts when it sends out informationon port 32771. I don't know if it is triggering the alert every time thatport is accessed but it has triggered the alert many times today:


(spp_rpc_decode) Fragmented RPC Records  425
(spp_rpc_decode) Incomplete RPC segment  374

It looks like the preprocessor simply uses port 32771 and can'tdifferentiate between real rpc traffic and traffic that just happens to beusing that port.


Ken

At 02:21 PM 3/5/03 -0600, Demetri Mouratis wrote:

As a few others on the list have mentioned, Snort 1.9.1 (Build 231) is
throwing alot of (spurious?) RPC alerts. I did some correlation in
ACID and found the following:


[snip]

[snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25341| [2003-03-05 06:02:16-06] 64.224.219.122:25 -> 10.1.64.7:32771

Dport 32771 keeps coming up.  From my snort.conf:

preprocessor rpc_decode: 111 32771

On my 10.1.64.0/24 net, I am sending smtp traffic to the internet.
Whenever a smtp connection happens to goe out on 32771, spp_rpc_decode
complains on the return traffic back to 32771.

Hope this helps describe the issue.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



Brother Kenneth Arnold
System Administrator
Information Technology Services
Christian Brothers University
(901) 321-4333



-------------------------------------------------------

This SF.net email is sponsored by: Etnus, makers of TotalView, The debuggerfor complex code. Debugging C/C++ programs can leave you feeling lost anddisoriented. TotalView can help you find your way. Available on major UNIXand Linux platforms. Try it free. www.etnus.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_rpc_decode Demetri Mouratis (Mar 05)
- <Possible follow-ups>
- Re: spp_rpc_decode Kenneth G. Arnold (Mar 05)