GEN:SID 1:1299
Message RPC portmap tooltalk request UDP
Summary This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ttdbserverd is listening.

Impact Information disclosure.  This request is used to discover which port ttdbserverd is using.  Attackers can also learn what versions of the ttdbserverd protocol are accepted by ttdbserverd.
Detailed Information The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ttdbserverd run.  The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications used in Common Desktop Environment (CDE) to communicate.  The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications.  The ToolTalk database server comes enabled on hosts with CDE.  Multiple vulernabilities have been associated with the ToolTalk database server.
Affected Systems All hosts running the UNIX portmapper.
Attack Scenarios An attacker can query the portmapper to discover the port where ttdbserverd runs.  This may be a precursor to accessing ttdbserverd.
Ease of Attack Easy.  
Corrective Action Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.

Disable unneeded RPC services.
Additional References CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1075

Rule References bugtraq: 3382
cve: 1999-0003
cve: 1999-0687
cve: 1999-1075
cve: 2001-0717
url: www.cert.org/advisories/CA-2001-05.html