[Snort-devel] New RPC Fix Causes many false alarms

Gary Morris gmorris at ...1840...
Tue Mar 4 16:33:11 EST 2003


 
I'm having a good amount of false alarms with the new RPC preprocessor
alerts.
 
A web client could choose an ephermal port of 32771 when connecting to a
website.  When this occurs, I am getting either 'Incomplete RPC
segment', 'Incomplete RPC Record', or 'Fragmented RPC records' from the
RPC preprocessor, at a quantity in which I must implement some sort of
fix, which it seems must be compiled within the code.  My other option
may be to just remove 32771 from the preprocessor arguments.  Or I
suppose I could comment out some lines in the below code from
spp_rpc_decode.c.  So, I suppose my main questions are:
 
1) Is there a way I can create a filter so that the RPC preprocessor
will ignore any traffic with a source or destination port of 80; and/or
even better
2) Does the RPC vulnerability only affect the 'first' packet in a
stream, or will it affect all packets?  If only the first packet, is
there a way to check and only process on a packet w/ tcp[13] = 0x02 in
the tcp header?
 
Thanks,
Gary Morris
 
 if(ret != 0)
    {
        switch(ret)
        {
        case RPC_FRAG_TRAFFIC:
            if(rpcpreprocdata.alert_fragments)
            {
                SetEvent(&event, GENERATOR_SPP_RPC_DECODE,
RPC_FRAG_TRAFFIC, 1, RPC_CLASS, 3, 0);
                CallAlertFuncs(p, RPC_FRAG_TRAFFIC_STR, NULL, &event);
                CallLogFuncs(p, RPC_FRAG_TRAFFIC_STR, NULL, &event);
                do_detect = 0;
            }
            break;
        case RPC_MULTIPLE_RECORD:
            if(rpcpreprocdata.alert_multi)
            {
                SetEvent(&event, GENERATOR_SPP_RPC_DECODE,
RPC_MULTIPLE_RECORD, 1, RPC_CLASS, 3, 0);
                CallAlertFuncs(p, RPC_MULTIPLE_RECORD_STR, NULL,
&event);
                CallLogFuncs(p, RPC_MULTIPLE_RECORD_STR, NULL, &event);
                do_detect = 0;
            }
            break;
        case RPC_LARGE_FRAGSIZE:
            if(rpcpreprocdata.alert_large)
            {
                SetEvent(&event, GENERATOR_SPP_RPC_DECODE,
RPC_LARGE_FRAGSIZE, 1, RPC_CLASS, 3, 0);
                CallAlertFuncs(p, RPC_LARGE_FRAGSIZE_STR, NULL, &event);
                CallLogFuncs(p, RPC_LARGE_FRAGSIZE_STR, NULL, &event);
                do_detect = 0;
            }
            break;
        case RPC_INCOMPLETE_SEGMENT:
            if(rpcpreprocdata.alert_incomplete)
            {
                SetEvent(&event, GENERATOR_SPP_RPC_DECODE,
RPC_INCOMPLETE_SEGMENT, 1, RPC_CLASS, 3, 0);
                CallAlertFuncs(p, RPC_INCOMPLETE_SEGMENT_STR, NULL,
&event);
                CallLogFuncs(p, RPC_INCOMPLETE_SEGMENT_STR, NULL,
&event);
                do_detect = 0;
            }
            break;
        }
    }

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030304/9eda4d2f/attachment.html>


More information about the Snort-devel mailing list