[ntp:questions] RPC Wrong Direction
actionhank at bogusaddress.xyz
Mon Nov 24 21:08:24 UTC 2003
My IDS (Intrusion Detection System) is alerting on my NTP server with
RPC Wrong Direction
This protocol anomaly is a remote procedure call (RPC) packet that flows
in the wrong direction, preventing Portmapper from performing the UDP
port to RPC program numbers conversion. RPC clients must send RPC calls;
RPC servers must send RPC replies.
There isn't much else than the above brief description... IDSes need to
be tuned, and I believe this alert on my NTP server is a false positive.
However, I would like to get your opinion.
The reason I believe this can be ignored is that the protocol anomaly
detector mentions that the packet flows in the wrong direction... The
target device being alerted on is both an NTP server and and NTP client.
I believe the IDS sees the device as either a server or a client (but
not both) and also sees both server and client packets flying in and out
of the device. As a result, the RPC Wrong Direction check is triggered...
The IDS is made by NetScreen. Any suggestions (other than contacting
NetScreen) or opinions? Thanks.
More information about the questions