[ntp:questions] RPC Wrong Direction

Hank Kingwood actionhank at bogusaddress.xyz
Mon Nov 24 21:08:24 UTC 2003

My IDS (Intrusion Detection System) is alerting on my NTP server with 
the following:

RPC Wrong Direction
This protocol anomaly is a remote procedure call (RPC) packet that flows 
in the wrong direction, preventing Portmapper from performing the UDP 
port to RPC program numbers conversion. RPC clients must send RPC calls; 
RPC servers must send RPC replies.

There isn't much else than the above brief description...  IDSes need to 
be tuned, and I believe this alert on my NTP server is a false positive. 
  However, I would like to get your opinion.

The reason I believe this can be ignored is that the protocol anomaly 
detector mentions that the packet flows in the wrong direction...  The 
target device being alerted on is both an NTP server and and NTP client. 
  I believe the IDS sees the device as either a server or a client (but 
not both) and also sees both server and client packets flying in and out 
of the device.  As a result, the RPC Wrong Direction check is triggered...

The IDS is made by NetScreen.  Any suggestions (other than contacting 
NetScreen) or opinions?  Thanks.

More information about the questions mailing list