[Snort-sigs] RPC Portmap Request

Joel Esler jesler at ...435...
Fri Apr 8 11:36:16 EDT 2011


Okay, so you received an Impact Flag one, which tells me you are running
Sourcefire.

So, you have the Operating System in question, the port is open, the service
on the port is correct, and the service is potentially vulnerable to this
condition (the makings of an impact 1), so, this is someone external to your
network attempted to connect to the ttdbserv on port 111 on your network.

Is the external network a known IP?  Is that IP authorized to connect to the
destination IP (HOME_NET) in question?  Or is it a random connection out
there on the internet?

Do you have a business need to have port 111 open from the internet to your
servers?  I'd probably start by blocking the ports.

Joel

On Fri, Apr 8, 2011 at 1:01 AM, Mohd Mukrim Che Mohamad Zulkifly <
mukrim.zulkifly at ...3584...> wrote:

> Hi,
>
> A few days ago, I received two Impact Flag 1 event alerts triggered by this
> rule
>
> Rule : alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap
> ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12;
> content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
> byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;
> content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips
> drop, policy security-ips drop, service sunrpc; reference:arachnids,24;
> reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003;
> reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717;
> reference:url,www.cert.org/advisories/CA-2001-05.html;
> classtype:rpc-portmap-decode; sid:588; rev:20; )
>
> Only two events were triggered, which made it suspicious. If it's an
> important service in the network, then a lot of events should have been
> triggered. Is it normal for this portmap request to happen?
>
> Thanks in advance.
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110408/753b43af/attachment.html>


More information about the Snort-sigs mailing list