File: 2035.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (69 lines) | stat: -rw-r--r-- 1,508 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Rule:

--
Sid:
2035

--
Summary:
Network Status Monitor (NSM) is used to indicate wether a host is up or 
for its status.

--
Impact:
Intelligence gathering about the current state of a host and wether rpc 
services are available.

--
Detailed Information:
NSM runs on client machines and informs other hosts of the status of 
that machine should a crash or reboot occur. Each remote application 
using an rpc service can therefore register with the host when services 
are once again available.

A request made to a machine will indicate to the attacker the status of 
that host and will also be indicative of rpc services being available. 
The attacker might then continue to ascertain which rpc services are 
being offered and then launch an attack on vulnerable daemons.

--
Affected Systems:
Any system running the service.

--
Attack Scenarios:
An attacker merely needs to request the status of the host using rpc.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Disallow all RPC requests from external sources and use a firewall to 
block access to RPC ports from outside the LAN.

Use the hosts.allow file to restrict the hosts able to request the 
status of the server.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Network Status Monitor Protocol, The Open Group:
http://www.opengroup.org/onlinepubs/009629799/chap11.htm

--