[Snort-sigs] Re: [Snort-devel] False SNMP missing community string alerts

Daniel J. Roelker droelker at ...435...
Wed Nov 19 06:59:20 EST 2003


Thanks for pointing this out John.  The false positive occurs because
the offset is 5 and the content must occur within 15 bytes of the offset
(the depth keyword).  So in this packet, you see the |04 00| within 15
bytes of the offset (it's at the beginning of the second line).

This rule needs to be enhanced to weed out these types of false
positives.  I think that decreasing the depth value would help, but I
think this rule should be revisited in more depth.

If Brian can't get a chance to look at this, then I will.  Thanks again,
John.

Dan

On Tue, 2003-11-18 at 15:50, John Wehle wrote:
> The following shows up from time to time in my logs:
> 
>   [**] SNMP missing community string attempt [**]
>   11/18-14:46:39.480171 192.251.93.6:41142 -> 192.251.93.7:161
>   UDP TTL:255 TOS:0x0 ID:30520 IpLen:20 DgmLen:73 DF
>   Len: 45
>   30 2B 02 01 01 04 06 70 75 62 6C 69 63 A1 1E 02  0+.....public...
>   04 00 C0 C4 27 02 01 00 02 01 00 30 10 30 0E 06  ....'......0.0..
>   0A 2B 06 01 02 01 19 04 02 01 04 05 00           .+...........
> 
> appearently due to:
> 
>   alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; offset:5; depth:15; reference:cve,CAN-1999-0517; classtype:misc-attack; sid:1893; rev:1;)
> 
> being triggered.  As I understanded it the rule says trigger if starting
> at offset 5 the sequence 04 00 is present, the packet dump shows the sequence
> starting at offset 5 as 04 06 in which case the rule shouldn't have triggered.
> 
> Particulars:
> 
>   System Architecture:          x86
>   Operating System and version: Solaris 8
>   Version of Snort:             2.0.4
>   Configuration:                Stock snort.conf with HOME_NET defined as
>                                 192.251.93.0/24
>   Command line switches:        -d -c snort.conf
> 
> The rule doesn't trigger all the time ... just sometimes even though
> 192.251.93.6 polls 192.251.93.7 every five minutes.
> 
> -- John
> -------------------------------------------------------------------------
> |   Feith Systems  |   Voice: 1-215-646-8000  |  Email: john at ...2031...  |
> |    John Wehle    |     Fax: 1-215-540-5495  |                         |
> -------------------------------------------------------------------------
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-sigs mailing list