Chris,
Using the default snort ruleset, I found that on an internal network I
was getting exactly the same messages. On analysis I discovered that these
were being falsely identified and were in fact NIS (yp) broadcasts from NIS
clients looking for a NIS server. I modified the snort rule to read:
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A0 00 00|"; offset: 64; reference:arachnids,10;)
Not sure if this is the same situation that you have...
Regards,
G.L. Bevan.
"Chris Bauer" <cbauerat_private> on 07/06/2001 18:09:22
To: <incidentsat_private>
cc:
Subject: SGI RPC broadcast
I have recently noticed an SGI machine on our network which is broadcasting
UDP packets from port 1025 to port 111 at a pretty regular 5 second
interval. I have looked online and have found a couple windows exploits
that do this, and one article mentioned port 1025 used for SGI's mountd. I
am not familiar with the neuances of SGI. I do know though that none of the
other SGI's on the network are doing this.
Has anyone else seen this? I've included this small snippet of the snot
log.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] RPC portmap request rstatd [**]
06/06-15:19:30.121285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58382 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] RPC portmap request rstatd [**]
06/06-15:19:35.211285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58485 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] RPC portmap request rstatd [**]
06/06-15:19:40.251285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58519 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Thanks in advance
-Chris
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 09:51:56 PDT