Schmehl, Paul L
pauls at ...6838...
Wed Dec 3 14:06:04 EST 2003
I'm getting Incomplete RPC segment alerts as well as Multiple RPC
Records alerts. I've read the manual and searched the archives, and I
know how to disable them, but I can't find any information on what those
Can someone point me to a resource/doc that explains what those alerts
Since you can configure the ports the preprocessor decodes traffic on, I
would assume that 111 and 32771 are used in order to cover both
"standard" and SUN RPC traffic. Is this correct?
Is there a way to specify the source port as opposed to destination
port? The alerts I'm seeing appear to be a normal ssh session with src
port 22 and dest port 32771 (which is why the alerts are being
triggered.) If I could specify 111 and 32771 as src ports only, that
would seem to make more sense to me.
My C skills aren't that great, but I don't see anything in
spp_rpc_decode.c that specifically identifies packets as RPC packets as
opposed to plain old TCP traffic on a port. Did I miss something? Or
is the assumptiont that traffic on those ports *must* be RPC? If so,
wouldn't it make more sense to define the ports as src ports only? Or
am I so clueless that I've completely missed the point?
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-users