[Snort-users] spp_rpc_decode

Schmehl, Paul L pauls at ...6838...
Wed Dec 3 14:06:04 EST 2003


I'm getting Incomplete RPC segment alerts as well as Multiple RPC
Records alerts.  I've read the manual and searched the archives, and I
know how to disable them, but I can't find any information on what those
alerts mean.

Can someone point me to a resource/doc that explains what those alerts
mean?

Since you can configure the ports the preprocessor decodes traffic on, I
would assume that 111 and 32771 are used in order to cover both
"standard" and SUN RPC traffic.  Is this correct?

Is there a way to specify the source port as opposed to destination
port?  The alerts I'm seeing appear to be a normal ssh session with src
port 22 and dest port 32771 (which is why the alerts are being
triggered.)  If I could specify 111 and 32771 as src ports only, that
would seem to make more sense to me.

My C skills aren't that great, but I don't see anything in
spp_rpc_decode.c that specifically identifies packets as RPC packets as
opposed to plain old TCP traffic on a port.  Did I miss something?  Or
is the assumptiont that traffic on those ports *must* be RPC?  If so,
wouldn't it make more sense to define the ports as src ports only?  Or
am I so clueless that I've completely missed the point?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list