[Snort-users] XNS or RPC

Peter Charbonneau Peter.Charbonneau at ...1479...
Mon Mar 12 14:31:53 EST 2001


I see the following packets followed by a Large ICMP Packet ....  In one database I looked in, UDP port 56 is XNS-AUTH, but tcpdump says sunrpc.  Has anybody seen this kind of thing, or is this just another mapping scheme (or some such)?

bash-2.04# tcpdump -r snort-0312\@1200.log -X host 200.131.250.24 | more
12:00:56.913056 dcs.ufla.br.737 > francis.williams.edu.sunrpc:  udp 56
  0000: 4500 0054 92f1 0000 3211 a55c c883 fa18  E..T....2..\....
  0010: 89a5 040a 02e1 006f 0040 3990 1728 4da6  .......o. at ...1536...(M.
  0020: 0000 0000 0000 0002 0001 86a0 0000 0002  ................
  0030: 0000 0003 0000 0000 0000 0000 0000 0000  ................
  0040: 0000 0000 0001 86b8 0000 0001 0000 0011  ................
  0050: 0000 0000                                ....

12:00:59.871682 dcs.ufla.br.738 > bubona.cs.williams.edu.sunrpc:  udp 56
  0000: 4500 0054 96f2 0000 3211 9d61 c883 fa18  E..T....2..a....
  0010: 89a5 0804 02e2 006f 0040 8cbb 6ed6 9ed1  .......o. at ...1537...
  0020: 0000 0000 0000 0002 0001 86a0 0000 0002  ................
  0030: 0000 0003 0000 0000 0000 0000 0000 0000  ................
  0040: 0000 0000 0001 86b8 0000 0001 0000 0011  ................
  0050: 0000 0000                                ....

12:01:00.243726 dcs.ufla.br.739 > telemark.cs.williams.edu.sunrpc:  udp 56
  0000: 4500 0054 96f5 0000 3211 9d21 c883 fa18  E..T....2..!....
  0010: 89a5 0841 02e3 006f 0040 8388 5b2f bb6d  ...A...o. at ...846...[/.m
  0020: 0000 0000 0000 0002 0001 86a0 0000 0002  ................
  0030: 0000 0003 0000 0000 0000 0000 0000 0000  ................
  0040: 0000 0000 0001 86b8 0000 0001 0000 0011  ................
  0050: 0000 0000                                ....

12:01:07.841178 dcs.ufla.br.740 > traveler.clark.williams.edu.sunrpc:  udp 56
  0000: 4500 0054 a25e 0000 3211 87e2 c883 fa18  E..T.^..2.......
  0010: 89a5 1217 02e4 006f 0040 0225 08fc 852d  .......o. at ...843...%...-
  0020: 0000 0000 0000 0002 0001 86a0 0000 0002  ................
  0030: 0000 0003 0000 0000 0000 0000 0000 0000  ................
  0040: 0000 0000 0001 86b8 0000 0001 0000 0011  ................
  0050: 0000 0000                                ....

12:01:08.249953 dcs.ufla.br.741 > francine.clark.williams.edu.sunrpc:  udp 56
  0000: 4500 0054 a261 0000 3111 88dd c883 fa18  E..T.a..1.......
  0010: 89a5 1219 02e5 006f 0040 35d3 5556 0522  .......o. at ...1538..."
  0020: 0000 0000 0000 0002 0001 86a0 0000 0002  ................
  0030: 0000 0003 0000 0000 0000 0000 0000 0000  ................
  0040: 0000 0000 0001 86b8 0000 0001 0000 0011  ................
  0050: 0000 0000                                ....

12:01:08.640982 dcs.ufla.br.742 > rosinante.clark.williams.edu.sunrpc:  udp 56
  0000: 4500 0054 a40d 0000 3111 872c c883 fa18  E..T....1..,....
  0010: 89a5 121e 02e6 006f 0040 3362 77db e507  .......o. at ...1539...
  0020: 0000 0000 0000 0002 0001 86a0 0000 0002  ................
  0030: 0000 0003 0000 0000 0000 0000 0000 0000  ................
  0040: 0000 0000 0001 86b8 0000 0001 0000 0011  ................
  0050: 0000 0000                                ....



PeteC

Peter Charbonneau
Sr. Networks and Systems Administrator
Williams College
(413) 597-3408
(209) 391- 9821 (fax)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010312/6d7e2966/attachment.html>


More information about the Snort-users mailing list