Next: , Previous: portmapper Analyzer, Up: portmapper Analyzer



7.20.1 portmapper variables

The standard script provides the following redefinable variables:

rpc_programs : table[count] of string
Maps RPC program numbers to a string used to name the service. For example, the [100002] entry is mapped to "rstatd".

Default: a large list of RPC services.


NFS_services : set of string
Lists the names of those RPC services that correspond to Network File System (NFS) [RFC-1094, RFC-1813] services. This variable is provided because it is convenient to express policies specific to accessing NFS file systems.

Default: the services mountd, nfs, pcnfsd, nlockmgr, rquotad, status.

Deficiency: Bro's notion of NFS is currently confined to just knowledge of the existence of these services. It does not analyze the particulars of different NFS operations.

RPC_okay : set[addr, addr, string]
Indexed by the host providing a given service and then by the host accessing the service. If an entry is present, it means that the given access is allowed. For example, an entry of:
              [1.2.3.4, 5.6.7.8, "rstatd"]
     

means that host 5.6.7.8 is allowed to access the rstatd service on host 1.2.3.4.

Default: empty.

RPC_okay_nets : set[net]
A set of networks allowed to make GETPORT requests without complaint. The notion behind providing this variable is that the listed networks are trusted. However, the trust doesn't extend beyond GETPORT to other portmapper requests, because GETPORT is the only portmapper operation used routinely by a set of hosts trusted by another set of hosts (but that don't belong to the same group, and hence are not issuing SET and UNSET calls).

Default: empty.


RPC_okay_services : set[string]
A set of services for which GETPORT requests should not generate complaints. These might be services that are widely invoked and believed exploit-free, such as walld, though care should be taken with blithely assuming that a given service is indeed exploit-free.

Note that, like for RPC_okay_nets, the trust does not extend beyond GETPORT, because it should be the only portmapper operation routinely invoked.

Default: empty.

NFS_world_servers : set[addr]
A set of hosts that provide public access to an NFS file system, and thus should not have any of their NFS traffic flagged as possibly sensitive. (The presumption here is that such public servers have been carefully secured against any remote NFS operations.) An example of such a server might be one providing read-only access to a public database.

Default: empty.

RPC_dump_okay : set[addr, addr]
Indexed first by the host requesting a portmapper dump, and second by the host from which it's requesting the dump. If an entry is present, then the dump operation is not flagged.

Default: empty.

any_RPC_okay : set[addr, string]
Pairs of hosts and services for which any GETPORT access to the given service is allowed.


sun-rpc.mcast.net
Default:
              [NFS_world_servers, NFS_services],
              [sun-rpc.mcast.net, "ypserv"]
     

The first of these allows access to any NFS service of any of the NFS_world_servers, using Bro's cross-product initialization feature (See Initializing Tables). The second allows ypserv requests to the multicast address reserved for RPC multicasts.1


suppress_pm_log : table[addr, string] of bool
Do not generate real-time alerts for access by the given address for the given service. Note that unlike most Bro policy variables, this one is not const but is modified at run-time to add to it any host that invokes the walld RPC service, so that such access is only reported once for each host.

Default: empty, but dynamic as discussed above.


Footnotes

[1] I don't know how much this type of access is actually used in practice, but experience shows that requests for ypserv directed to that address pop up not infrequently.