Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort problem when DPORT = 3277x

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dzeanah
      last edited by

      I'm new to snort, but have enabled it on a new firewall in a new datacenter.  As I'm copying thousands of files to the new server I'm running into this false positive:

      (spp_rpc_decode) Incomplete RPC segment

      Basically my ftp program is opening and closing a lot of connections to do parallel uoloads/downloads, and it looks like any connections that have a destination port in the 3277x range are being flagged as illegitimate traffic because Snort is assuming it's RPC traffic.

      I'd find the offending rule and disable it, but apparently under the RC version of pfSense I'm running I can only view the first page of rules, so I can't find it.

      Any quick fix here?

      1 Reply Last reply Reply Quote 0
      • D
        dzeanah
        last edited by

        Went ahead and entered this into the "suppress" tab:

        suppress gen_id 106, sig_id 4

        Now, does that just stop logging of the event, or does it disable the event itself?  I'm hoping for the latter, but expecting the former.

        1 Reply Last reply Reply Quote 0
        • J
          jamesdean
          last edited by

          @Derek Zeanah

          Suppress disables the rule completely.

          What do you mean "first page", can you post a pic.

          A quick fix is to edit the snort.inc and add "no_alert_incomplete" to the "Preprocessor rpc_decode:" area.

          Example:
          Preprocessor rpc_decode: 111 32771 no_alert_incomplete

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.