[ntp:questions] Re: RPC Wrong Direction

Koos van den Hout koos at cs.uu.nl
Tue Nov 25 09:56:43 UTC 2003

Hank Kingwood <actionhank at bogusaddress.xyz> wrote:
> My IDS (Intrusion Detection System) is alerting on my NTP server with 
> the following:

> RPC Wrong Direction
> This protocol anomaly is a remote procedure call (RPC) packet that flows 
> in the wrong direction, preventing Portmapper from performing the UDP 
> port to RPC program numbers conversion. RPC clients must send RPC calls; 
> RPC servers must send RPC replies.

> There isn't much else than the above brief description...  IDSes need to 
> be tuned, and I believe this alert on my NTP server is a false positive. 
>   However, I would like to get your opinion.

The IDS seems to think that any UDP packet exchange on a portnumber that it
does not know of must be the result of an RPC exchange.

This is funny, because it means the IDS has no clue of NTP, and therefore
can never correctly timestamp its log entries.

> The IDS is made by NetScreen.  Any suggestions (other than contacting 
> NetScreen) or opinions?  Thanks.

Tell NetScreen to learn about NTP and ask how the IDS is supposed to know
the right time.


Koos van den Hout, herding Suns and networks as koos at cs.uu.nl
+31-30-2534104              PGP keyid 0x27513781
http://idefix.net/~koos/            Use PGP when possible!
Visit my site about books with reviews http://www.virtualbookcase.com/

More information about the questions mailing list