[Snort-users] callit ?

Erich Meier Erich.Meier at ...99...
Thu Aug 31 05:51:18 EDT 2000


On Thu, Aug 31, 2000 at 11:10:46AM +0200, Preben Randhol wrote:
> I keep getting this in my logs:
> 
>    portmap[213]: connect from W.X.Y.Z to +callit(300214): request from
>    unauthorized host
> 
> snort doesn't report anything wrong, but I cannot find out what callit
> is? If somebody can point me to a doc where I can find out what callit
> is it would be great.

This has nothing to do with snort.

Someone tried to call a RPC service with the program number 300214 on your
host which was denied by the portmapper.

Obviously, your portmapper is compiled with tcp_wrappers, that can be configured
via /etc/hosts.allow and /etc/hosts.deny. You should find "portmap:" lines
there.

To find out, what service the remote host requested, simply run "rpcinfo -p"
on your host and look for 300214 in the first row.

HTH,
Erich



More information about the Snort-users mailing list