|
|
|
|
Snort Forums Archive
Archive Home » Snort Advanced » I dont know where to ask this so I will ask in this forum ....
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
I dont know where to ask this so I will ask in this forum ....
Posted by xponet on June 07, 2005 11:13:50
[**] [1:1923:6] RPC portmap proxy attempt UDP [**]
My alerts keep showing this ... A LOT
I tried doing some research on this alert to see if perhaps its fixable, a false positive, etc and cant really seem to find anything on it regarding snort and this alert.
Has anyone else encountered this?
if so, what have you done about it.
Is it a false positive and no big deal and I should just make a rule to ignore it?
or is it something that should be addressed because it could be a possible Vurn.
Thanks a lot |
|
Posted by chris on June 08, 2005 02:24:19
Hi xponet, to really know whether it's a problem of not you'll have to checkout the hosts which are producing this alert.
Sorry it's a really obvious answer to your question, but only *you'll* know whether it's a problem on your network ;-)
Do you knowingly run the portmapper service on any of your systems ?
Depending on the platform the hosts are running there are a variety of tools to help you out,
The snort sig page has this to say
"The RPC "callit" procedure allows the portmapper to act as a proxy to forward requests to other RPC services offered by the host. This allows an attacker to call an RPC service on the same host without knowing the port number associated with the RPC service."
cheers
Chris
|
|
|
|
|
|
