[Snort-devel] Snort 2.0 build 54, rpc decode alerts

Lawrence Reed Lawrence.Reed at ...1489...
Mon Mar 3 23:00:25 EST 2003


I have just upgraded to snort 2.0 build 54 for the rpc vuln patch. 
 However I am now seeing many  (several thousand in the last 3 hours) 
rpc_preprocessor alerts like:

03/04/03-00:09:55.062320  {TCP} 205.156.51.230:80 -> 68.74.106.236:32771
[**] [106:2:1] spp_rpc_decode: Multiple Records in one packet [**]
[Classification: Detection of a non-standard protocol or event] 
[Priority: 3]
------------------------------------------------------------------------
03/04/03-00:09:55.062425  {TCP} 205.156.51.230:80 -> 68.74.106.236:32771
[**] [106:4:1] spp_rpc_decode: Incomplete RPC segment [**]
[Classification: Detection of a non-standard protocol or event] 
[Priority: 3]
------------------------------------------------------------------------

This looks like http data instead of RPC.  Looking at the source code I 
don't see any server vs clients check.  Therefore the above alerts can 
come from web ( server -> client ) traffic.  Should the rpc preprocessor 
be checking both client and server traffic?  Should it check from 
packets with a server port in the specified ports list?  For example 
something like:  If  (server packet)  then source port must be in 
RpcDecodePorts else dest port must be in RpcDecodePorts.

-- 
Larry Reed Lawrence.Reed at ...1489...
NOAA IT Security Office Incident Response Team (NCIRT) ncirt at ...1832...
PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772







More information about the Snort-devel mailing list