[Snort-users] spp_rpc_decode

Jeremy Hewlett jh at ...1935...
Fri Dec 5 18:19:01 EST 2003


On Wed, Dec 03, Schmehl, Paul L wrote:
> I'm getting Incomplete RPC segment alerts as well as Multiple RPC
> Records alerts.  I've read the manual and searched the archives, and I
> know how to disable them, but I can't find any information on what those
> alerts mean.

Josh Berry's definition of these is pretty good, so I won't rehash
that. You might also find RFC1831 and Robert Graham's Sidestep tool
(the rpc evasion part) interesting to look at.

> Since you can configure the ports the preprocessor decodes traffic on, I
> would assume that 111 and 32771 are used in order to cover both
> "standard" and SUN RPC traffic.  Is this correct?

Yup.

> My C skills aren't that great, but I don't see anything in
> spp_rpc_decode.c that specifically identifies packets as RPC packets as
> opposed to plain old TCP traffic on a port.  Did I miss something?  Or
> is the assumptiont that traffic on those ports *must* be RPC?  If so,

Correct.

> wouldn't it make more sense to define the ports as src ports only?  Or
> am I so clueless that I've completely missed the point?

As clients would be sending requests/attacks/whatever to these ports,
making it src only defeats the normalization effort.




More information about the Snort-users mailing list