[Snort-sigs] Suggested modification of rule 1892 (SNMP null community string attempt)

Matthew Watchinski mwatchinski at ...435...
Wed May 19 12:16:01 EDT 2004


You might not want to do that, since SNMP uses ASN.1 you can do interesting 
things like long encodings.

IE

30 - I'm a Sequence
8 F - High bit set len is 16 bytes long

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - len of sequence

02 integer

01 len of integer

00 snmp version

04 string

06 len of string

....

Cheers,
-matt

James Kingston wrote:
> We are getting some false positives on the rule "SNMP null community
> string attempt", sid 1892.
> 
> Rule text:
> alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community
> string attempt"; content:"|04 01 00|"; offset:5; depth:15;
> reference:cve,CAN-1999-0517; reference:bugtraq,8974;
> classtype:misc-attack; sid:1892; rev:3;)
> 
> Here is a sample packet capture:
> 30 63 02 01 00 04 06 73 65 63 72 65 74 A0 56 02 04 01 00 ....
> 
> A walk-through of the packet:
> 30 sequence
> 63 length of sequence
> 02 integer
> 01 length of integer
> 00 snmp version
> 04 string
> 06 length of string
> 73 65 63 72 65 74 community string
> A0 GetRequest-PDU
> 56 length of PDU
> 02 04 01 00... Start of PDU/rest of packet
> 
> Changing the depth to 7 has taken care of the issue, as the only place
> (to the best of my knowledge) that a null community string can occur
> is from the 6th to the 8th bytes.
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community
> string attempt"; content:"|04 01 00|"; offset:5; depth:7;
> reference:cve,CAN-1999-0517; reference:bugtraq,8974;
> classtype:misc-attack; sid:1892; rev:3;)
> 
> (Or should that be offset:5; depth:3, now that I think of it?)  Of
> course, I could be completely misinterpreting the intent of the rule.
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list