[Snort-users] spp_rpc_decode

Paul Schmehl pauls at ...6838...
Fri Dec 5 19:03:03 EST 2003


--On Friday, December 05, 2003 9:18 PM -0500 Jeremy Hewlett 
<jh at ...1935...> wrote:
>
> Josh Berry's definition of these is pretty good, so I won't rehash
> that. You might also find RFC1831 and Robert Graham's Sidestep tool
> (the rpc evasion part) interesting to look at.
>
Thanks for the pointers, Jeremy.  I've already studied the RFC some, 
although I must confess I sometimes have trouble plowing through those, but 
I'll look for Robert's tool.
>
>> wouldn't it make more sense to define the ports as src ports only?  Or
>> am I so clueless that I've completely missed the point?
>
> As clients would be sending requests/attacks/whatever to these ports,
> making it src only defeats the normalization effort.
>
OK.  I guess I don't fully comprehend the process of normalization.  I 
thought I understood it to me the reassembly of fragmented packets as well 
as the conversion of "special" characters to the "standard" expected input 
(removal of unicode, etc.)  Is my understanding incorrect?  Does it require 
both sides of the conversation to normalize the input to those ports?
>
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list