[Snort-sigs] Suggested modification of rule 1892 (SNMP null community string attempt)

James Kingston james_kingston at ...144...
Wed May 19 05:31:13 EDT 2004


We are getting some false positives on the rule "SNMP null community
string attempt", sid 1892.

Rule text:
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community
string attempt"; content:"|04 01 00|"; offset:5; depth:15;
reference:cve,CAN-1999-0517; reference:bugtraq,8974;
classtype:misc-attack; sid:1892; rev:3;)

Here is a sample packet capture:
30 63 02 01 00 04 06 73 65 63 72 65 74 A0 56 02 04 01 00 ....

A walk-through of the packet:
30 sequence
63 length of sequence
02 integer
01 length of integer
00 snmp version
04 string
06 length of string
73 65 63 72 65 74 community string
A0 GetRequest-PDU
56 length of PDU
02 04 01 00... Start of PDU/rest of packet

Changing the depth to 7 has taken care of the issue, as the only place
(to the best of my knowledge) that a null community string can occur
is from the 6th to the 8th bytes.

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community
string attempt"; content:"|04 01 00|"; offset:5; depth:7;
reference:cve,CAN-1999-0517; reference:bugtraq,8974;
classtype:misc-attack; sid:1892; rev:3;)

(Or should that be offset:5; depth:3, now that I think of it?)  Of
course, I could be completely misinterpreting the intent of the rule.





More information about the Snort-sigs mailing list