PROTOCOL-RPC -- Snort has detected traffic that may indicate the presence of the rpc protocol or vulnerabilities in the rpc protocol on the network.
PROTOCOL-RPC portmap mountd request UDP
This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) mountd is listening. Impact: Information disclosure. This request is used to discover which port mountd is using. Attackers can also learn what versions of the mountd protocol are accepted by mountd. Details: The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as mountd run. The mountd RPC service allows remote file system access through Network File System (NFS). A vulnerability exists in the code that logs NFS mount activity that can cause a buffer overflow, allowing the execution of arbitrary code with root privileges. Ease of Attack: Simple.
No information provided
No public information
Known false positives, with the described conditions
If a legitimate remote user is allowed to access mountd, this rule may trigger.
Original rule written by Max Vision <vision@whitehats.com> Modified by Brian Caswell Cisco Talos Judy Novak
No rule groups
None
No information provided
None
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
