Snort mailing list archives
spp_rpc_decode
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 3 Dec 2003 16:05:49 -0600
I'm getting Incomplete RPC segment alerts as well as Multiple RPC Records alerts. I've read the manual and searched the archives, and I know how to disable them, but I can't find any information on what those alerts mean. Can someone point me to a resource/doc that explains what those alerts mean? Since you can configure the ports the preprocessor decodes traffic on, I would assume that 111 and 32771 are used in order to cover both "standard" and SUN RPC traffic. Is this correct? Is there a way to specify the source port as opposed to destination port? The alerts I'm seeing appear to be a normal ssh session with src port 22 and dest port 32771 (which is why the alerts are being triggered.) If I could specify 111 and 32771 as src ports only, that would seem to make more sense to me. My C skills aren't that great, but I don't see anything in spp_rpc_decode.c that specifically identifies packets as RPC packets as opposed to plain old TCP traffic on a port. Did I miss something? Or is the assumptiont that traffic on those ports *must* be RPC? If so, wouldn't it make more sense to define the ports as src ports only? Or am I so clueless that I've completely missed the point? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_rpc_decode Schmehl, Paul L (Dec 03)
- Message not available
- Re: spp_rpc_decode Josh Berry (Dec 03)
- Message not available
- Re: spp_rpc_decode Jeremy Hewlett (Dec 05)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)
- Re: spp_rpc_decode Chris Green (Dec 06)
- Re: spp_rpc_decode Paul Schmehl (Dec 05)