jh at ...1935...
Fri Dec 5 18:19:01 EST 2003
On Wed, Dec 03, Schmehl, Paul L wrote:
> I'm getting Incomplete RPC segment alerts as well as Multiple RPC
> Records alerts. I've read the manual and searched the archives, and I
> know how to disable them, but I can't find any information on what those
> alerts mean.
Josh Berry's definition of these is pretty good, so I won't rehash
that. You might also find RFC1831 and Robert Graham's Sidestep tool
(the rpc evasion part) interesting to look at.
> Since you can configure the ports the preprocessor decodes traffic on, I
> would assume that 111 and 32771 are used in order to cover both
> "standard" and SUN RPC traffic. Is this correct?
> My C skills aren't that great, but I don't see anything in
> spp_rpc_decode.c that specifically identifies packets as RPC packets as
> opposed to plain old TCP traffic on a port. Did I miss something? Or
> is the assumptiont that traffic on those ports *must* be RPC? If so,
> wouldn't it make more sense to define the ports as src ports only? Or
> am I so clueless that I've completely missed the point?
As clients would be sending requests/attacks/whatever to these ports,
making it src only defeats the normalization effort.
More information about the Snort-users