Hosting Provided By

Re: [Snort-sigs] Not sure I understand "RPC AMD TCP pid request"..

From: Brian <bmc(at)snort.org>
Date: Sun May 04 2003 - 13:00:51 EDT

On Fri, May 02, 2003 at 03:55:54PM -0700, Tom Arseneault wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:1;)

> What I don't understand is why the destination port is 500(tcp), everything

The port is NOT 500, the port is "any port from 500 and up." amd has its own service (300019) that generally runs on ports above 500.

Port 111 is for portmap. In this rule, we are looking for the pid request on the amd service, NOT the portmap request for where this service is running.

> I did a quick web search and was unable to find any indications that this

Well, its very easy.

setup a system that uses AMD.
on another system, run "amq -h system.running.amd -p -T"

-brian

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Sun May 4 13:49:27 2003

Do you need help?

This message: [ Message body ]
Next message: Mattia: "[Snort-sigs] UNIXSOCK"
Previous message: Brian: "Re: [Snort-sigs] Netbios rules are case sensitive?"
In reply to Tom Arseneault: "[Snort-sigs] Not sure I understand "RPC AMD TCP pid request".."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT