[Snort-sigs] SNMP Missing Community String Signature FP

Eric Hines eric.hines at ...1663...
Mon Jul 10 17:31:24 EDT 2006


SID #: 1893 (SNMP missing community string attempt) sets a depth max of 
15 bytes. This signature is improperly firing on several of our networks 
as a lot of different devices will set the community string deeper than 
15 bytes.

Is this happening frequently enough for everyone else out there to 
propose a modification to this rule to have the depth increased or 
eliminated, or do you guys consider this to be a local tuning 
responsibility of the administrator?

Has anyone else had this problem?

Snort Team: Should we submit this using the Snort signature template for 
submitting False Positives? All 50,000 alerts in one day for this 
signature were FPs :)

Where do we draw the line on a signature using too tight of a 
Depth/Offset, etc.. being a False Positive or User-specific tuning?

----- snip ------

alert UDP $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing 
community string attempt";  content:"|04 00|"; depth:15; 
offset:5;reference:bugtraq,2112; reference:cve,1999-0517; 
classtype:misc-attack; sid:1893; rev:4;)

---- example packet -----

0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........


Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


Email:   eric.hines at ...1663...
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

Security Management for the Open Source Enterprise

-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/3e65927a/attachment.vcf>

More information about the Snort-sigs mailing list