File: 1281.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (61 lines) | stat: -rw-r--r-- 1,367 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Rule:

--
Sid:
1281

--
Summary:
This event is generated when an attempt is made dump entries from the portmapper on a Solaris host.

--
Impact:
Information disclosure.  This request can discover what Remote Procedure Call (RPC) services are offered and on what ports they listen. 

--
Detailed Information:
The portmapper service registers all RPC services on UNIX hosts.  It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens.  This can provide an attacker with valuable information about which RPC services are offered and on which ports.

--
Affected Systems:
All hosts running portmapper.

--
Attack Scenarios:
An attacker can query the portmapper to discover RPC services and their associated listening ports. 

--
Ease of Attack:
Simple. 

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.

Disable unneeded RPC services.

--
Contributors:
Original rule written by Max Vision <vision@whitehats.com>
Original rule modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

Arachnids:
http://www.whitehats.com/info/IDS429


--