Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Format Up: Preprocessors Previous: Format   Contents


RPC Decode

The rpc_decode preprocessor normalizes RPC multiple fragmented records into a single un-fragmented record. It does this by normalizing the packet into the packet buffer. If stream4 is enabled, it will only process client-side traffic. By default, it runs against traffic on ports 111 and 32771.


Table 2.5: RPC Decoder Options
Option Description
alert_fragments Alert on any fragmented RPC record.
no_alert_multiple_requests Don't alert when there are multiple records in one packet.
no_alert_large_fragments Don't alert when the sum of fragmented records exceeds one packet.
no_alert_incomplete Don't alert when a single fragment record exceeds the size of one packet.


Subsections
Steven Sturges 2007-05-11
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.