Snort mailing list archives
Re: spp_rpc_decode
From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 3 Dec 2003 23:16:00 -0600 (CST)
I believe the Multiple RPC Record alert means that there were several RPC requests in one packet and the Incomplete one is when one request is not contained in one packet (split across mutltiple packets. I don't know if that helps at all, that is the most information that I could find.
I'm getting Incomplete RPC segment alerts as well as Multiple RPC Records alerts. I've read the manual and searched the archives, and I know how to disable them, but I can't find any information on what those alerts mean. Can someone point me to a resource/doc that explains what those alerts mean? Since you can configure the ports the preprocessor decodes traffic on, I would assume that 111 and 32771 are used in order to cover both "standard" and SUN RPC traffic. Is this correct? Is there a way to specify the source port as opposed to destination port? The alerts I'm seeing appear to be a normal ssh session with src port 22 and dest port 32771 (which is why the alerts are being triggered.) If I could specify 111 and 32771 as src ports only, that would seem to make more sense to me. My C skills aren't that great, but I don't see anything in spp_rpc_decode.c that specifically identifies packets as RPC packets as opposed to plain old TCP traffic on a port. Did I miss something? Or is the assumptiont that traffic on those ports *must* be RPC? If so, wouldn't it make more sense to define the ports as src ports only? Or am I so clueless that I've completely missed the point? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_rpc_decode Schmehl, Paul L (Dec 03)
- Message not available
- Re: spp_rpc_decode Josh Berry (Dec 03)
- Message not available
- Re: spp_rpc_decode Jeremy Hewlett (Dec 05)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)
- Re: spp_rpc_decode Chris Green (Dec 06)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)