[Snort-users] spp_rpc_decode

Josh Berry josh.berry at ...10221...
Wed Dec 3 21:14:02 EST 2003


I believe the Multiple RPC Record alert means that there were several RPC
requests in one packet and the Incomplete one is when one request is not
contained in one packet (split across mutltiple packets.

I don't know if that helps at all, that is the most information that I
could find.

> I'm getting Incomplete RPC segment alerts as well as Multiple RPC
> Records alerts.  I've read the manual and searched the archives, and I
> know how to disable them, but I can't find any information on what those
> alerts mean.
>
> Can someone point me to a resource/doc that explains what those alerts
> mean?
>
> Since you can configure the ports the preprocessor decodes traffic on, I
> would assume that 111 and 32771 are used in order to cover both
> "standard" and SUN RPC traffic.  Is this correct?
>
> Is there a way to specify the source port as opposed to destination
> port?  The alerts I'm seeing appear to be a normal ssh session with src
> port 22 and dest port 32771 (which is why the alerts are being
> triggered.)  If I could specify 111 and 32771 as src ports only, that
> would seem to make more sense to me.
>
> My C skills aren't that great, but I don't see anything in
> spp_rpc_decode.c that specifically identifies packets as RPC packets as
> opposed to plain old TCP traffic on a port.  Did I miss something?  Or
> is the assumptiont that traffic on those ports *must* be RPC?  If so,
> wouldn't it make more sense to define the ports as src ports only?  Or
> am I so clueless that I've completely missed the point?
>
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN's Audience Survey.
> Help shape OSDN's sites and tell us what you think. Take this
> five minute survey and you could win a $250 Gift Certificate.
> http://www.wrgsurveys.com/2003/osdntech03.php?site_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list