Re: SGI RPC broadcast

["Graham Bevan" <gbevan () csc com>]

Chris,
     Using the default snort ruleset, I found that on an internal network I
was getting exactly the same messages.  On analysis I discovered that these
were being falsely identified and were in fact NIS (yp) broadcasts from NIS
clients looking for a NIS server.  I modified the snort rule to read:

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A0 00 00|"; offset: 
64; reference:arachnids,10;)

     Not sure if this is the same situation that you have...

Regards,
     G.L. Bevan.





"Chris Bauer" <cbauer () mco edu> on 07/06/2001 18:09:22

To:   <incidents () securityfocus com>
cc:
Subject:  SGI RPC broadcast


I have recently noticed an SGI machine on our network which is broadcasting
UDP packets from port 1025 to port 111 at a pretty regular 5 second
interval. I have looked online and have found a couple windows exploits
that do this, and one article mentioned port 1025 used for SGI's mountd. I
am not familiar with the neuances of SGI. I do know though that none of the
other SGI's on the network are doing this.

Has anyone else seen this? I've included this small snippet of the snot
log.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC portmap request rstatd [**]
06/06-15:19:30.121285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58382 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC portmap request rstatd [**]
06/06-15:19:35.211285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58485 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC portmap request rstatd [**]
06/06-15:19:40.251285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58519 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Thanks in advance

-Chris