3. Snort problem when DPORT = 3277x

Snort problem when DPORT = 3277x

  • D

    I'm new to snort, but have enabled it on a new firewall in a new datacenter.  As I'm copying thousands of files to the new server I'm running into this false positive:

    (spp_rpc_decode) Incomplete RPC segment

    Basically my ftp program is opening and closing a lot of connections to do parallel uoloads/downloads, and it looks like any connections that have a destination port in the 3277x range are being flagged as illegitimate traffic because Snort is assuming it's RPC traffic.

    I'd find the offending rule and disable it, but apparently under the RC version of pfSense I'm running I can only view the first page of rules, so I can't find it.

    Any quick fix here?

    0
  • D

    Went ahead and entered this into the "suppress" tab:

    suppress gen_id 106, sig_id 4

    Now, does that just stop logging of the event, or does it disable the event itself?  I'm hoping for the latter, but expecting the former.

    0
  • J

    @Derek Zeanah

    Suppress disables the rule completely.

    What do you mean "first page", can you post a pic.

    A quick fix is to edit the snort.inc and add "no_alert_incomplete" to the "Preprocessor rpc_decode:" area.

    Example:
    Preprocessor rpc_decode: 111 32771 no_alert_incomplete

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy