PROTOCOL-RPC -- Snort has detected traffic that may indicate the presence of the rpc protocol or vulnerabilities in the rpc protocol on the network.
PROTOCOL-RPC portmap listing UDP 111
This event is generated when an attempt is made dump entries from the portmapper. Impact: Information disclosure. This request can discover what Remote Procedure Call (RPC) services are offered and on what ports they listen. Details: The portmapper service registers all RPC services on UNIX hosts. It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens. This can provide an attacker valuable information about which RPC services offered and on which ports. Ease of Attack: Simple. Execute 'rpcinfo -p hostname/IP'.
SunRPC over port 111 on UDP.
No public information
No known false positives
Original rule written by Max Vision <vision@whitehats.com> Modified by Brian Caswell Cisco Talos Judy Novak
No rule groups
None
No information provided
None
Tactic: Reconnaissance
Technique: Client Configurations
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
