[Snort-sigs] RPC Portmap Request

Mohd Mukrim Che Mohamad Zulkifly mukrim.zulkifly at ...3584...
Fri Apr 8 01:01:05 EDT 2011


A few days ago, I received two Impact Flag 1 event alerts triggered by this rule

Rule : alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:20; )

Only two events were triggered, which made it suspicious. If it's an important service in the network, then a lot of events should have been triggered. Is it normal for this portmap request to happen? 

Thanks in advance.

More information about the Snort-sigs mailing list