portmapper
AnalyzerThe portmapper
analyzer monitors one particularly
important form of remote procedure call (RPC) [RFC-1831, RFC-1832]
traffic: the portmapper service, used to map between RPC program (and
version) numbers and the TCP or UDP port on which the service runs for a
particular host. For example, rstatd is an RPC service that provides
“remote host status monitoring” so that a set of hosts can be informed
when any of them reboots. rstatd has been assigned a standard
RPC program number of 100002. To find out the corresponding TCP or UDP
port on a given host, a remote host would usually first contact the
portmapper RPC service running on the host and request the port
corresponding to program 100002.
Call | Meaning
|
NULL | A do-nothing call typically provided by all RPC services.
|
GETPORT | Look up the port associated with a given RPC program.
|
SET | Add a new port mapping (or replace an existing mapping) for an RPC program.
|
UNSET | Remove a port mapping.
|
DUMP | Retrieve all of the RPC program mappings.
|
CALLIT | Both look up a program and then directly call it.
|
Table 7.5: Types of calls to the RPC portmapper service
All in all, clients can make six different types of calls to the portmapper, as summarized in the above table. Attackers often use GETPORT and DUMP to see whether a host may be running an RPC service vulnerable to a known exploit.
The analyzer uses a capture filter of “port 111
” (See: Filtering),
equivalent to “tcp port 111 or udp port 111
” (since the portmapper
service ordinarily accepts calls using either TCP or UDP, both on port 111).
It checks the different types of portmapper calls against policies
expressed using a number of different variables.
Note: An important point not to overlook is that an attacker does not have to first call the portmapper service in order to call an RPC program. They might instead happen to know the port on which the service runs a priori, since for example it may generally run on the same port for a particular operating system; or they might scan the host's different TCP or UDP ports directly looking for a reply from the service. Thus, while portmapper monitoring proves very useful in detecting attacks, it does not provide comprehensive monitoring of attempts to exploit RPC services.