[Snort-sigs] RE: Ignoring Win32 SNMP printer checks

Nerijus Krukauskas nk99 at ...2507...
Fri May 21 05:50:00 EDT 2004


nnposter at ...592... wrote:
>>From: "Shawn Cannon" <cannon1941 at ...1143...>
>>Referencing the message below, does this rule only ignore public SNMP =
>>access to printers but still alert on other public SNMP requests?  I =
>>want to make sure that I only ignore the printer SNMP requests.  =
> 
> 
> Yes, this is correct. Please see the sequence of specific OIDs the rule
> looks for.

   I'm still getting some "SNMP public access udp". Can't figure out 
what has caused them. The packet seems to fit your pass rule 
perfectly, but still it triggers an alert. See below the sample (snort 
v2.1.2).
   And, yes, the rule order in this snort instance is changed from 
default with -o option. Any ideas, anyone? Has it something to do with 
the event queuing?

[**] SNMP public access udp [**]
05/20/04-09:17:23.196921 X:X:X:X:X:X -> X:X:X:X:X:X type:0x800 len:0x77
X.X.X.X:1083 -> X.X.X.X:161 UDP TTL:128 TOS:0x0 ID:64174
IpLen:20 DgmLen:105
Len: 77
0x0000: XX XX XX XX XX XX XX XX XX XX XX XX XX XX 45 00  ..F#R....Z....E.
0x0010: 00 69 FA AE 00 00 80 11 XX XX XX XX XX XX XX XX  .i......O.......
0x0020: XX XX 04 3B 00 A1 00 55 XX XX 30 4B 02 01 00 04  .P.;...U..0K....
0x0030: 06 70 75 62 6C 69 63 A0 3E 02 01 5E 02 01 00 02  .public.>..^....
0x0040: 01 00 30 33 30 0F 06 0B 2B 06 01 02 01 19 03 02  ..030...+.......
0x0050: 01 05 01 05 00 30 0F 06 0B 2B 06 01 02 01 19 03  .....0...+......
0x0060: 05 01 01 01 05 00 30 0F 06 0B 2B 06 01 02 01 19  ......0...+.....
0x0070: 03 05 01 02 01 05 00                             .......

-- 
NK @ Vilnius
nk.tinkle.lt

The new Congressmen say they're going to turn the government around. I 
hope I don't get run over again.




More information about the Snort-sigs mailing list