Next: , Previous: login Analyzer, Up: Analyzers and Events



7.20 The portmapper Analyzer

The portmapper analyzer monitors one particularly important form of remote procedure call (RPC) [RFC-1831, RFC-1832] traffic: the portmapper service, used to map between RPC program (and version) numbers and the TCP or UDP port on which the service runs for a particular host. For example, rstatd is an RPC service that provides “remote host status monitoring” so that a set of hosts can be informed when any of them reboots. rstatd has been assigned a standard RPC program number of 100002. To find out the corresponding TCP or UDP port on a given host, a remote host would usually first contact the portmapper RPC service running on the host and request the port corresponding to program 100002.

Call Meaning
NULL A do-nothing call typically provided by all RPC services.
GETPORT Look up the port associated with a given RPC program.
SET Add a new port mapping (or replace an existing mapping) for an RPC program.
UNSET Remove a port mapping.
DUMP Retrieve all of the RPC program mappings.
CALLIT Both look up a program and then directly call it.

Table 7.5: Types of calls to the RPC portmapper service

All in all, clients can make six different types of calls to the portmapper, as summarized in the above table. Attackers often use GETPORT and DUMP to see whether a host may be running an RPC service vulnerable to a known exploit.

The analyzer uses a capture filter of “port 111” (See: Filtering), equivalent to “tcp port 111 or udp port 111” (since the portmapper service ordinarily accepts calls using either TCP or UDP, both on port 111). It checks the different types of portmapper calls against policies expressed using a number of different variables.

Note: An important point not to overlook is that an attacker does not have to first call the portmapper service in order to call an RPC program. They might instead happen to know the port on which the service runs a priori, since for example it may generally run on the same port for a particular operating system; or they might scan the host's different TCP or UDP ports directly looking for a reply from the service. Thus, while portmapper monitoring proves very useful in detecting attacks, it does not provide comprehensive monitoring of attempts to exploit RPC services.