[Snort-sigs] Error in rstatd rules

Wozz wozz+snort at ...205...
Wed Nov 28 13:53:02 EST 2001


This is an old bug from Arachnids that was fixed a few months back but
apparently got carried over.

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request
rstatd"; content: "|01 86 A0 00 00|"; reference:arachnids,10;
classtype:rpc-portmap-decode; sid:583; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request
rstatd"; content: "|01 86 A0 00 00|"; reference:arachnids,10;
classtype:rpc-portmap-decode; flags:A+; sid:1270; rev:2;)

should be

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request
rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10;
classtype:rpc-portmap-decode; sid:583; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request
rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10;
classtype:rpc-portmap-decode; flags:A+; sid:1270; rev:2;)

(rpc 100001 vs 100000)






More information about the Snort-sigs mailing list