Laurin,
The log viewer looks in your local services file as well as the
firewall-1 defined service objects for resolving what ports = what
protocols in the viewer. If, for example, you were running this on a
UNIX platform, the log viewer would look at /etc/services and
/etc/fw/conf/objects.C to do the service resolution. Since you're
running on NT, it will look at $WINNT/system32/drivers/etc/services and
then at the objects that the client downloads automatically from the
management station when the log viewer is opened.
In regards to the sunrpc service, it is used on UNIX machines to assign
ports to programs which run on dynamically configured ports. There are
several exploitable services which rely on RPC, such as rpc.ttdbserverd,
rpc.statd, rpc.sadmind, rpc.rusers, etc. So you're script kiddy was
probably looking for vulnerable UNIX boxes. For more info on SUNRPC,
see http://www.networksorcery.com/enp/rfc/rfc1057.txt . Hope this
helps!
Jason
http://www.wittys.com
http://www.securitystats.com
Laurin Buchanan wrote:
>
> Greetings all:
>
> Reviewing logs for my FW-1 (3.0b patch 3068 on NT4 SP4), I saw several
> dropped entries for a service that the log was calling "sunrpc." Not being
> familiar with the service, I wanted to look up what port that actually was
> (and also to send off the scan detection notification email) but I was
> surprised that there was no such service defined in my FW system.
>
> I took a quick look around phoneboy's site, didn't see anything that relates
> to this, so I'd appreciate any answers the list members might have for the
> two following questions:
>
> 1) How does the designation get into the log, if the service isn't defined
> in my firewall and are there others that might crop up in a similar manner?
>
> 2) Would someone tell me what port this service is using, or point me to a
> website that will let me search for port numbers by service name, since most
> of the online resources order the list by port number?
>
> Thanks in advance,
>
> Laurin Buchanan, Manager, Internet Services / Webmaster
> National Music Publishers Association & The Harry Fox Agency, Inc.
> www.songfile.com | www.lyrics.ch | www.nmpa.org
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
