spp_rpc_decode

["Schmehl, Paul L" <pauls () utdallas edu>]

I'm getting Incomplete RPC segment alerts as well as Multiple RPC
Records alerts.  I've read the manual and searched the archives, and I
know how to disable them, but I can't find any information on what those
alerts mean.

Can someone point me to a resource/doc that explains what those alerts
mean?

Since you can configure the ports the preprocessor decodes traffic on, I
would assume that 111 and 32771 are used in order to cover both
"standard" and SUN RPC traffic.  Is this correct?

Is there a way to specify the source port as opposed to destination
port?  The alerts I'm seeing appear to be a normal ssh session with src
port 22 and dest port 32771 (which is why the alerts are being
triggered.)  If I could specify 111 and 32771 as src ports only, that
would seem to make more sense to me.

My C skills aren't that great, but I don't see anything in
spp_rpc_decode.c that specifically identifies packets as RPC packets as
opposed to plain old TCP traffic on a port.  Did I miss something?  Or
is the assumptiont that traffic on those ports *must* be RPC?  If so,
wouldn't it make more sense to define the ports as src ports only?  Or
am I so clueless that I've completely missed the point?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users