Re: RPC Portmap Request

[Joel Esler <jesler () sourcefire com>]

It depends on who the IP is.  If it's someone authorized to connect to your
services on that port, then it's perfectly normal.  However, if it's someone
on the internet that is attempting some sort of scan for services, then it's
not normal.

Joel

On Sun, Apr 10, 2011 at 10:31 PM, Mohd Mukrim Che Mohamad Zulkifly <
mukrim.zulkifly () bit com my> wrote:

> Thank you very much for your reply advice.. That's right, I'm running
> Sourcefire. One more question, is it normal for traffic going to port 111,
> occurs only two times in a long given time period?
> _______________________________________
> From: Joel Esler [jesler () sourcefire com]
> Sent: Friday, April 08, 2011 11:36 PM
> To: Mohd Mukrim Che Mohamad Zulkifly
> Cc: snort-sigs () lists sourceforge net
> Subject: Re: [Snort-sigs] RPC Portmap Request
>
> Okay, so you received an Impact Flag one, which tells me you are running
> Sourcefire.
>
> So, you have the Operating System in question, the port is open, the
> service on the port is correct, and the service is potentially vulnerable to
> this condition (the makings of an impact 1), so, this is someone external to
> your network attempted to connect to the ttdbserv on port 111 on your
> network.
>
> Is the external network a known IP?  Is that IP authorized to connect to
> the destination IP (HOME_NET) in question?  Or is it a random connection out
> there on the internet?
>
> Do you have a business need to have port 111 open from the internet to your
> servers?  I'd probably start by blocking the ports.
>
> Joel
>
> On Fri, Apr 8, 2011 at 1:01 AM, Mohd Mukrim Che Mohamad Zulkifly <
> mukrim.zulkifly () bit com my<mailto:mukrim.zulkifly () bit com my>> wrote:
> Hi,
>
> A few days ago, I received two Impact Flag 1 event alerts triggered by this
> rule
>
> Rule : alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap
> ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12;
> content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
> byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;
> content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips
> drop, policy security-ips drop, service sunrpc; reference:arachnids,24;
> reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003;
> reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717;
> reference:url,www.cert.org/advisories/CA-2001-05.html<
> http://www.cert.org/advisories/CA-2001-05.html>;
> classtype:rpc-portmap-decode; sid:588; rev:20; )
>
> Only two events were triggered, which made it suspicious. If it's an
> important service in the network, then a lot of events should have been
> triggered. Is it normal for this portmap request to happen?
>
> Thanks in advance.
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
>
> --
> Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
> http://blog.clamav.net
> Twitter:  http://twitter.com/snort



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org