Snort problem when DPORT = 3277x



  • I'm new to snort, but have enabled it on a new firewall in a new datacenter.  As I'm copying thousands of files to the new server I'm running into this false positive:

    (spp_rpc_decode) Incomplete RPC segment

    Basically my ftp program is opening and closing a lot of connections to do parallel uoloads/downloads, and it looks like any connections that have a destination port in the 3277x range are being flagged as illegitimate traffic because Snort is assuming it's RPC traffic.

    I'd find the offending rule and disable it, but apparently under the RC version of pfSense I'm running I can only view the first page of rules, so I can't find it.

    Any quick fix here?



  • Went ahead and entered this into the "suppress" tab:

    suppress gen_id 106, sig_id 4

    Now, does that just stop logging of the event, or does it disable the event itself?  I'm hoping for the latter, but expecting the former.



  • @Derek Zeanah

    Suppress disables the rule completely.

    What do you mean "first page", can you post a pic.

    A quick fix is to edit the snort.inc and add "no_alert_incomplete" to the "Preprocessor rpc_decode:" area.

    Example:
    Preprocessor rpc_decode: 111 32771 no_alert_incomplete


Log in to reply