NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2001-06

From: LEFEVRE David (David.LEFEVREcardif.fr)
Date: Wed Jun 06 2001 - 02:44:42 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You should look for Cybercop or Nessus Security scanning tool.
I use it to improve security of my net, it runs well. It also has a
"nmap plugin".

For an exemple :
Vulnerability found on port unknown (669/tcp)

The remote statd service could be brought down
with a format string attack - it now needs to
be restarted manually.

This means that an attacker may execute arbitrary
code thanks to a bug in this daemon.

Solution : upgrade to the latest version of rpc.statd
Risk factor : High
see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)

Best regards,
David

skop d'skop wrote:

> hi guys,
> come across this alert lately for my network
>
> [**] IDS10 - RPC - portmap-request-rstatd [**]
>
> May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
> May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
> May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
> May 20 11:25:16 208.131.80.80:727 -> X.Y.Z.13:111 UDP
>
> and i'm wondering what kind of scanning / tool that trigger this alert.
>
> i 've done with #rpcinfo -p hostname and #nmap -sU -sR hostname , yet no similiar output.
>
> -skop
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- David LEFEVRE CARDIF - Architecture et Sécurité Opérationnelle david.lefevre

cardif.fr - Tél : 01 41 42 76 63

********************************************************************** L'intégrité de ce message n'étant pas assurée sur Internet, CARDIF ne peut être tenu responsable de son contenu. Si vous n'êtes pas destinataire de ce message confidentiel, Merci de le détruire et d'avertir immédiatement l'expediteur.

The integrity of this message cannot be guaranteed on the Internet. CARDIF can not therefore be considered responsible for the contents. If you are not the intended recipient of this confidential message, then please delete it and notify immediately the sender.

**********************************************************************

_______________________________________________ Snort-users mailing list Snort-userslists.sourceforge.net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]