POLICY-OTHER --
POLICY-OTHER RPC Portmapper getstat request attempt
This event is generated when an inbound RPC Portmapper version 4 getstat request is made at least 10 times within 1 second Impact: Detection of a Denial of Service Attack via amplification if enough responses are made in a short enough period of time Details: RPC Portmapper, in response to a legitimate call, will respond with a valid response. The issue lies in that the response is significantly larger than initial inbound request. This is known as amplification, and if a significant number of responses are forwarded to server, a DoS condition may occur. Ease of Attack: Simple and publicly available
No information provided
No public information
Known false positives, with the described conditions
Detection only covers ten requests made in a short period of time and the requests in of themselves will not do anything and is completely legitimate. Many requests made to a single server is likely indicative of an attempted UDP amplification DoS attack.
Cisco Talos Intelligence Group
No rule groups
None
No information provided
None
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
