Snort mailing list archives

spp_rpc_decode

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Wed, 5 Mar 2003 14:21:29 -0600 (CST)
As a few others on the list have mentioned, Snort 1.9.1 (Build 231) is
throwing alot of (spurious?) RPC alerts. I did some correlation in
ACID and found the following:

#6-25656| [2003-03-05 14:03:07-06] 63.229.102.3:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25654| [2003-03-05 14:03:07-06] 63.229.102.3:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25652| [2003-03-05 14:03:06-06] 63.229.102.3:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25650| [2003-03-05 14:03:06-06] 63.229.102.3:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25648| [2003-03-05 14:03:06-06] 63.229.102.3:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25646| [2003-03-05 14:03:06-06] 63.229.102.3:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25604| [2003-03-05 11:24:32-06] 198.109.121.2:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25602| [2003-03-05 11:24:31-06] 198.109.121.2:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25600| [2003-03-05 11:24:31-06] 198.109.121.2:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25595| [2003-03-05 11:07:23-06] 192.75.238.202:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25593| [2003-03-05 11:07:23-06] 192.75.238.202:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25590| [2003-03-05 11:07:23-06] 192.75.238.202:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25589| [2003-03-05 11:07:23-06] 192.75.238.202:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25587| [2003-03-05 11:07:23-06] 192.75.238.202:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25577| [2003-03-05 11:05:55-06] 192.75.238.202:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25575| [2003-03-05 11:05:55-06] 192.75.238.202:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25554| [2003-03-05 11:02:50-06] 64.157.4.84:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25552| [2003-03-05 11:02:50-06] 64.157.4.84:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25550| [2003-03-05 11:02:50-06] 64.157.4.84:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25490| [2003-03-05 09:23:25-06] 64.136.28.83:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25488| [2003-03-05 09:21:18-06] 64.136.20.83:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25343| [2003-03-05 06:02:17-06] 64.224.219.122:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25341| [2003-03-05 06:02:16-06] 64.224.219.122:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25339| [2003-03-05 06:02:16-06] 64.224.219.122:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25337| [2003-03-05 06:02:16-06] 64.224.219.122:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25335| [2003-03-05 06:02:16-06] 64.224.219.122:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25333| [2003-03-05 06:02:16-06] 64.224.219.122:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25330| [2003-03-05 06:01:20-06] 64.157.4.82:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25328| [2003-03-05 06:01:20-06] 64.157.4.82:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25326| [2003-03-05 06:01:20-06] 64.157.4.82:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25283| [2003-03-05 05:04:44-06] 64.12.138.152:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25281| [2003-03-05 05:04:43-06] 64.12.138.152:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25276| [2003-03-05 05:03:47-06] 64.147.15.80:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25274| [2003-03-05 05:03:47-06] 64.147.15.80:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25272| [2003-03-05 05:03:47-06] 64.147.15.80:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25270| [2003-03-05 05:03:47-06] 64.147.15.80:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25268| [2003-03-05 05:03:47-06] 64.147.15.80:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25028| [2003-03-04 23:15:10-06] 64.157.4.83:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25202| [2003-03-05 00:40:17-06] 130.76.64.47:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25200| [2003-03-05 00:40:17-06] 130.76.64.47:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25198| [2003-03-05 00:40:14-06] 130.76.64.47:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25196| [2003-03-05 00:40:14-06] 130.76.64.47:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25194| [2003-03-05 00:40:14-06] 130.76.64.47:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25192| [2003-03-05 00:40:14-06] 130.76.64.47:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25190| [2003-03-05 00:40:14-06] 130.76.64.47:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25099| [2003-03-04 23:56:53-06] 216.63.146.237:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25097| [2003-03-04 23:56:52-06] 216.63.146.237:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25095| [2003-03-04 23:56:52-06] 216.63.146.237:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25093| [2003-03-04 23:56:52-06] 216.63.146.237:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25091| [2003-03-04 23:56:52-06] 216.63.146.237:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25181| [2003-03-05 00:35:35-06] 216.168.230.137:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25179| [2003-03-05 00:35:34-06] 216.168.230.137:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25177| [2003-03-05 00:35:34-06] 216.168.230.137:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25175| [2003-03-05 00:35:34-06] 216.168.230.137:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25171| [2003-03-05 00:34:09-06] 65.54.253.230:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25169| [2003-03-05 00:34:08-06] 65.54.253.230:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25167| [2003-03-05 00:34:08-06] 65.54.253.230:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25165| [2003-03-05 00:34:08-06] 65.54.253.230:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25163| [2003-03-05 00:34:08-06] 65.54.253.230:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25142| [2003-03-05 00:20:29-06] 192.82.19.252:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25140| [2003-03-05 00:20:29-06] 192.82.19.252:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25138| [2003-03-05 00:20:28-06] 192.82.19.252:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25136| [2003-03-05 00:20:28-06] 192.82.19.252:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25134| [2003-03-05 00:20:27-06] 192.82.19.252:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25132| [2003-03-05 00:20:27-06] 192.82.19.252:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25124| [2003-03-05 00:14:28-06] 64.12.138.152:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25107| [2003-03-05 00:01:17-06] 198.150.96.10:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25105| [2003-03-05 00:01:17-06] 198.150.96.10:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25103| [2003-03-05 00:01:17-06] 198.150.96.10:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25089| [2003-03-04 23:56:52-06] 216.63.146.237:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25087| [2003-03-04 23:56:52-06] 216.63.146.237:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25082| [2003-03-04 23:55:39-06] 64.157.4.83:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25080| [2003-03-04 23:55:39-06] 64.157.4.83:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25078| [2003-03-04 23:55:39-06] 64.157.4.83:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25068| [2003-03-04 23:37:04-06] 204.146.55.140:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25066| [2003-03-04 23:37:03-06] 204.146.55.140:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25063| [2003-03-04 23:32:22-06] 12.1.237.116:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25061| [2003-03-04 23:32:22-06] 12.1.237.116:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25059| [2003-03-04 23:32:21-06] 12.1.237.116:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25057| [2003-03-04 23:31:14-06] 63.115.251.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25055| [2003-03-04 23:31:14-06] 63.115.251.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25053| [2003-03-04 23:31:13-06] 63.115.251.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25051| [2003-03-04 23:31:13-06] 63.115.251.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25049| [2003-03-04 23:31:12-06] 63.115.251.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25047| [2003-03-04 23:31:12-06] 63.115.251.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25045| [2003-03-04 23:31:12-06] 63.115.251.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25026| [2003-03-04 23:15:10-06] 64.157.4.83:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25024| [2003-03-04 23:15:10-06] 64.157.4.83:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-25007| [2003-03-04 23:06:24-06] 135.90.90.104:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25005| [2003-03-04 23:06:24-06] 135.90.90.104:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25003| [2003-03-04 23:06:24-06] 135.90.90.104:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-25001| [2003-03-04 23:06:24-06] 135.90.90.104:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24999| [2003-03-04 23:06:24-06] 135.90.90.104:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24997| [2003-03-04 23:06:13-06] 135.90.90.104:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24982| [2003-03-04 23:04:12-06] 150.143.103.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24980| [2003-03-04 23:04:12-06] 150.143.103.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24978| [2003-03-04 23:04:12-06] 150.143.103.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24976| [2003-03-04 23:04:12-06] 150.143.103.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24974| [2003-03-04 23:04:12-06] 150.143.103.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24972| [2003-03-04 23:04:03-06] 150.143.103.14:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24955| [2003-03-04 22:44:27-06] 64.71.185.100:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24953| [2003-03-04 22:44:27-06] 64.71.185.100:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24951| [2003-03-04 22:44:27-06] 64.71.185.100:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24949| [2003-03-04 22:44:27-06] 64.71.185.100:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24947| [2003-03-04 22:44:26-06] 64.71.185.100:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24945| [2003-03-04 22:44:26-06] 64.71.185.100:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24938| [2003-03-04 22:30:34-06] 164.47.187.11:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24936| [2003-03-04 22:30:34-06] 164.47.187.11:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24934| [2003-03-04 22:30:33-06] 164.47.187.11:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24932| [2003-03-04 22:30:33-06] 164.47.187.11:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24930| [2003-03-04 22:30:01-06] 207.69.200.44:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24928| [2003-03-04 22:30:01-06] 207.69.200.44:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24926| [2003-03-04 22:30:01-06] 207.69.200.44:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24924| [2003-03-04 22:30:01-06] 207.69.200.44:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24922| [2003-03-04 22:30:01-06] 207.69.200.44:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24904| [2003-03-04 22:14:32-06] 162.119.241.4:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24902| [2003-03-04 22:14:32-06] 162.119.241.4:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24900| [2003-03-04 22:14:32-06] 162.119.241.4:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24898| [2003-03-04 22:14:32-06] 162.119.241.4:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24896| [2003-03-04 22:14:32-06] 162.119.241.4:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24894| [2003-03-04 22:14:24-06] 162.119.241.4:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24886| [2003-03-04 22:06:55-06] 216.148.246.119:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24884| [2003-03-04 22:06:55-06] 216.148.246.119:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24882| [2003-03-04 22:06:55-06] 216.148.246.119:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24880| [2003-03-04 22:06:54-06] 216.148.246.119:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24878| [2003-03-04 22:06:54-06] 216.148.246.119:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24868| [2003-03-04 22:06:15-06] 216.148.246.119:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24866| [2003-03-04 22:04:58-06] 24.93.35.209:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-24864| [2003-03-04 22:04:58-06] 24.93.35.209:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-24862| [2003-03-04 22:04:57-06] 24.93.35.209:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-24860| [2003-03-04 22:04:57-06] 24.93.35.209:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-24858| [2003-03-04 22:04:56-06] 24.93.35.209:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-24856| [2003-03-04 22:04:35-06] 24.93.35.209:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC segment
#6-24785| [2003-03-04 17:13:15-06] 208.245.180.8:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24783| [2003-03-04 17:13:14-06] 208.245.180.8:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24781| [2003-03-04 17:13:14-06] 208.245.180.8:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24779| [2003-03-04 17:13:13-06] 208.245.180.8:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24777| [2003-03-04 17:13:13-06] 208.245.180.8:25 -> 10.1.64.6:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24771| [2003-03-04 17:09:04-06] 209.196.77.105:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24769| [2003-03-04 17:09:03-06] 209.196.77.105:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24767| [2003-03-04 17:09:03-06] 209.196.77.105:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24765| [2003-03-04 17:09:03-06] 209.196.77.105:25 -> 10.1.64.7:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24763| [2003-03-04 17:08:51-06] 209.226.51.15:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24761| [2003-03-04 17:08:51-06] 209.226.51.15:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24759| [2003-03-04 17:08:51-06] 209.226.51.15:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment
#6-24757| [2003-03-04 17:08:51-06] 209.226.51.15:25 -> 10.1.64.8:32771 [snort/4]  (spp_rpc_decode) Incomplete RPC 
segment

Dport 32771 keeps coming up.  From my snort.conf:

preprocessor rpc_decode: 111 32771

On my 10.1.64.0/24 net, I am sending smtp traffic to the internet.
Whenever a smtp connection happens to goe out on 32771, spp_rpc_decode
complains on the return traffic back to 32771.

Hope this helps describe the issue.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

spp_rpc_decode Demetri Mouratis (Mar 05)
- <Possible follow-ups>
- Re: spp_rpc_decode Kenneth G. Arnold (Mar 05)