OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: skop d'skop (skopvisto.com)
Date: Wed Jun 06 2001 - 09:49:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thanks David,
    But what I wonder this pattern.
    May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
    May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP

    First it looks for SYN ( which is TCP Flag) then it looks for UDP Protocol. For UDP, the source port is below < 1024.

    Plus is there anything abt source port < 1024 ( isn't that abnormal ?) scanning to some destination to destination port < 1024 (normal)

    Thanks
    -skop

    -----Original Message-----
    From: LEFEVRE David David.LEFEVREcardif.fr
    Sent: Wed, 06 Jun 2001 09:44:42 +0200
    To: skopvisto.com
    CC: snort-userslists.sourceforge.net
    Subject: Re: [Snort-users] rpc.statd

    You should look for Cybercop or Nessus Security scanning tool.
    I use it to improve security of my net, it runs well. It also has a
    "nmap plugin".

    For an exemple :
    Vulnerability found on port unknown (669/tcp)

    The remote statd service could be brought down
    with a format string attack - it now needs to
    be restarted manually.

    This means that an attacker may execute arbitrary
    code thanks to a bug in this daemon.

    Solution : upgrade to the latest version of rpc.statd
    Risk factor : High
    see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)

    Best regards,
    David

    skop d'skop wrote:

    > hi guys,
    > come across this alert lately for my network
    >
    > [**] IDS10 - RPC - portmap-request-rstatd [**]
    >
    > May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
    > May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
    > May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
    > May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
    >
    > and i'm wondering what kind of scanning / tool that trigger this alert.
    >
    > i 've done with #rpcinfo -p hostname and #nmap -sU -sR hostname , yet no similiar output.
    >
    > -skop
    > ___________________________________________________________________________
    > Visit http://www.visto.com/info, your free web-based communications center.
    > Visto.com. Life on the Dot.
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users 

    --
David LEFEVRE
CARDIF - Architecture et Sécurité Opérationnelle
david.lefevrecardif.fr - Tél : 01 41 42 76 63

    ___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users