[Snort-sigs] Sid 1893 FP

Jon Hart jhart at ...288...
Wed Jul 5 16:50:54 EDT 2006


On Fri, Jun 16, 2006 at 10:41:45AM -0700, Blake Hartstein wrote:
> Jon,
> The rule is looking for |04 00| offset 5, and depth 15. Thus, it starts 
> looking at that offset, then stops looking once it reaches depth 15.
> It just so happens that the Request Id: 0x715e0400 is causing this rule 
> to alert, even though a valid community string has been specified.

Sorry for never responding.  This has popped up again.

I agree with what you said.  Wouldn't this actually be a bug with this
rule, since the community in SNMP v1 and v2 starts at offset 5?  I don't
see the need to walk 15 in, unless there is something about SNMP I am
missing (which is entirely possible).

-jon




More information about the Snort-sigs mailing list