[Snort-sigs] RPC Portmap Request

Joel Esler jesler at ...435...
Mon Apr 11 08:15:42 EDT 2011


It depends on who the IP is.  If it's someone authorized to connect to your
services on that port, then it's perfectly normal.  However, if it's someone
on the internet that is attempting some sort of scan for services, then it's
not normal.

Joel

On Sun, Apr 10, 2011 at 10:31 PM, Mohd Mukrim Che Mohamad Zulkifly <
mukrim.zulkifly at ...3584...> wrote:

>
> Thank you very much for your reply advice.. That's right, I'm running
> Sourcefire. One more question, is it normal for traffic going to port 111,
> occurs only two times in a long given time period?
> _______________________________________
> From: Joel Esler [jesler at ...435...]
> Sent: Friday, April 08, 2011 11:36 PM
> To: Mohd Mukrim Che Mohamad Zulkifly
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] RPC Portmap Request
>
> Okay, so you received an Impact Flag one, which tells me you are running
> Sourcefire.
>
> So, you have the Operating System in question, the port is open, the
> service on the port is correct, and the service is potentially vulnerable to
> this condition (the makings of an impact 1), so, this is someone external to
> your network attempted to connect to the ttdbserv on port 111 on your
> network.
>
> Is the external network a known IP?  Is that IP authorized to connect to
> the destination IP (HOME_NET) in question?  Or is it a random connection out
> there on the internet?
>
> Do you have a business need to have port 111 open from the internet to your
> servers?  I'd probably start by blocking the ports.
>
> Joel
>
> On Fri, Apr 8, 2011 at 1:01 AM, Mohd Mukrim Che Mohamad Zulkifly <
> mukrim.zulkifly at ...3584...<mailto:mukrim.zulkifly at ...3584...>> wrote:
> Hi,
>
> A few days ago, I received two Impact Flag 1 event alerts triggered by this
> rule
>
> Rule : alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap
> ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12;
> content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
> byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;
> content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips
> drop, policy security-ips drop, service sunrpc; reference:arachnids,24;
> reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003;
> reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717;
> reference:url,www.cert.org/advisories/CA-2001-05.html<
> http://www.cert.org/advisories/CA-2001-05.html>;
> classtype:rpc-portmap-decode; sid:588; rev:20; )
>
> Only two events were triggered, which made it suspicious. If it's an
> important service in the network, then a lot of events should have been
> triggered. Is it normal for this portmap request to happen?
>
> Thanks in advance.
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
>
> --
> Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
> http://blog.clamav.net
> Twitter:  http://twitter.com/snort
>



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110411/0cf0e33d/attachment.html>


More information about the Snort-sigs mailing list