[Snort-users] rpc.statd

skop d'skop skop at ...2175...
Wed Jun 6 10:49:06 EDT 2001


Thanks David,
But what I wonder this pattern.
May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP

First it looks for SYN ( which is TCP Flag) then it looks for UDP Protocol. For UDP, the source port is below < 1024.

Plus is there anything abt source port < 1024 ( isn't that abnormal ?) scanning to some destination to destination port < 1024 (normal) 


Thanks
-skop

-----Original Message-----
From:    LEFEVRE David David.LEFEVRE at ...2178...
Sent:    Wed, 06 Jun 2001 09:44:42 +0200
To:      skop at ...2175...
CC:      snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rpc.statd


You should look for Cybercop or Nessus Security scanning tool.
I use it to improve security of my net, it runs well. It also has a
"nmap plugin".

For an exemple :
Vulnerability found on port unknown (669/tcp)

The remote statd service could be brought down
with a format string attack - it now needs to
be restarted manually.

This means that an attacker may execute arbitrary
code thanks to a bug in this daemon.

Solution : upgrade to the latest version of rpc.statd
Risk factor : High
see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)

Best regards,
David

skop d'skop wrote:

> hi guys,
> come across this alert lately for my network
>
> [**] IDS10 - RPC - portmap-request-rstatd [**]
>
> May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
> May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
> May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
>
> and i'm wondering what kind of scanning / tool that trigger this alert.
>
> i 've done with #rpcinfo -p hostname and #nmap -sU -sR  hostname , yet no similiar output.
>
> -skop
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
David LEFEVRE
CARDIF - Architecture et S?curit? Op?rationnelle
david.lefevre at ...2178... - T?l : 01 41 42 76 63




___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.





More information about the Snort-users mailing list