[Snort-sigs] Not sure I understand "RPC AMD TCP pid request"..

Brian bmc at ...95...
Sun May 4 10:03:22 EDT 2003


On Fri, May 02, 2003 at 03:55:54PM -0700, Tom Arseneault wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:1;)

> What I don't understand is why the destination port is 500(tcp), everything
> I found says 500 is ike/isakamp for IPSec. Automounter just uses 
> portmapper(111), mountd(600-1023), NIS(600-1023)and NFS(2049) ports. A quick 
> look thru the am-utils web site did not find any indication of it using any 
> other ports. 

The port is NOT 500, the port is "any port from 500 and up."  amd has
its own service (300019) that generally runs on ports above 500.

Port 111 is for portmap.  In this rule, we are looking for the pid request
on the amd service, NOT the portmap request for where this service is 
running.

> I did a quick web search and was unable to find any indications that this 
> rule have ever hit on anybodys systems (where they share alerts anyway), 
> and I don't currently have the lab facility to allow me to test this. 

Well, its very easy.

1) setup a system that uses AMD.
2) on another system, run "amq -h system.running.amd -p -T"

-brian




More information about the Snort-sigs mailing list