[Snort-devel] Snort 2.0 build 54, rpc decode alerts

Lawrence Reed Lawrence.Reed at ...1489...
Mon Mar 3 23:00:25 EST 2003

I have just upgraded to snort 2.0 build 54 for the rpc vuln patch. 
 However I am now seeing many  (several thousand in the last 3 hours) 
rpc_preprocessor alerts like:

03/04/03-00:09:55.062320  {TCP} ->
[**] [106:2:1] spp_rpc_decode: Multiple Records in one packet [**]
[Classification: Detection of a non-standard protocol or event] 
[Priority: 3]
03/04/03-00:09:55.062425  {TCP} ->
[**] [106:4:1] spp_rpc_decode: Incomplete RPC segment [**]
[Classification: Detection of a non-standard protocol or event] 
[Priority: 3]

This looks like http data instead of RPC.  Looking at the source code I 
don't see any server vs clients check.  Therefore the above alerts can 
come from web ( server -> client ) traffic.  Should the rpc preprocessor 
be checking both client and server traffic?  Should it check from 
packets with a server port in the specified ports list?  For example 
something like:  If  (server packet)  then source port must be in 
RpcDecodePorts else dest port must be in RpcDecodePorts.

Larry Reed Lawrence.Reed at ...1489...
NOAA IT Security Office Incident Response Team (NCIRT) ncirt at ...1832...
PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772

More information about the Snort-devel mailing list