[Snort-sigs] RPC Portmap Request

Mohd Mukrim Che Mohamad Zulkifly mukrim.zulkifly at ...3584...
Sun Apr 10 22:31:11 EDT 2011

Thank you very much for your reply advice.. That's right, I'm running Sourcefire. One more question, is it normal for traffic going to port 111, occurs only two times in a long given time period?
From: Joel Esler [jesler at ...435...]
Sent: Friday, April 08, 2011 11:36 PM
To: Mohd Mukrim Che Mohamad Zulkifly
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RPC Portmap Request

Okay, so you received an Impact Flag one, which tells me you are running Sourcefire.

So, you have the Operating System in question, the port is open, the service on the port is correct, and the service is potentially vulnerable to this condition (the makings of an impact 1), so, this is someone external to your network attempted to connect to the ttdbserv on port 111 on your network.

Is the external network a known IP?  Is that IP authorized to connect to the destination IP (HOME_NET) in question?  Or is it a random connection out there on the internet?

Do you have a business need to have port 111 open from the internet to your servers?  I'd probably start by blocking the ports.


On Fri, Apr 8, 2011 at 1:01 AM, Mohd Mukrim Che Mohamad Zulkifly <mukrim.zulkifly at ...3584...<mailto:mukrim.zulkifly at ...3584...>> wrote:

A few days ago, I received two Impact Flag 1 event alerts triggered by this rule

Rule : alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html<http://www.cert.org/advisories/CA-2001-05.html>; classtype:rpc-portmap-decode; sid:588; rev:20; )

Only two events were triggered, which made it suspicious. If it's an important service in the network, then a lot of events should have been triggered. Is it normal for this portmap request to happen?

Thanks in advance.
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>

Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net
Twitter:  http://twitter.com/snort

More information about the Snort-sigs mailing list