[Snort-sigs] Not sure I understand "RPC AMD TCP pid request"..

Tom Arseneault TArseneault at ...1491...
Fri May 2 15:57:02 EDT 2003

I verified that this has been the way the rule has been writein since day one. I verified that "|00 04 93 F3|" was 300019 which is rpc for amd/amq (I assumed "|00 00 00 09|" stands for the "-p" command line option). I understand, mostly, that the two content sections should be within 4 bytes and not more than 4 bytes from each other (the 2.0 manual was a little unclear on this point, both "distance" and "within" had the same description "at least Nbytes" but usage examples showed that they mirror each other). What I don't understand is why the destination port is 500(tcp), everything I found says 500 is ike/isakamp for IPSec. Automounter just uses portmapper(111), mountd(600-1023), NIS(600-1023)and NFS(2049) ports. A quick look thru the am-utils web site did not find any indication of it using any other ports. 

alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:1;)

I did a quick web search and was unable to find any indications that this rule have ever hit on anybodys systems (where they share alerts anyway), and I don't currently have the lab facility to allow me to test this. Though I did run the amq command and it complained about not being able to talk to portmapper (which I don't run on my systems). So my question is two fold: why is the destination port 500 and not 111? And if 500 is the correct port, is there any documentation to support this? Note: all the AMD rules in rpc.rules are for port 500.

Tom Arseneault
Security Engineer
Counterpane Internet Security.
"All humans are born Right-Handed...but the great ones overcome it."

More information about the Snort-sigs mailing list