[Snort-sigs] SNMP Missing Community String Signature FP

Matt Kettler mkettler at ...189...
Mon Jul 10 18:15:47 EDT 2006


Eric Hines wrote:
> All:
> 
> SID #: 1893 (SNMP missing community string attempt) sets a depth max of
> 15 bytes. This signature is improperly firing on several of our networks
> as a lot of different devices will set the community string deeper than
> 15 bytes.
> 
> Is this happening frequently enough for everyone else out there to
> propose a modification to this rule to have the depth increased or
> eliminated, or do you guys consider this to be a local tuning
> responsibility of the administrator?
> 
> Has anyone else had this problem?
> 
> Snort Team: Should we submit this using the Snort signature template for
> submitting False Positives? All 50,000 alerts in one day for this
> signature were FPs :)
> 
> Where do we draw the line on a signature using too tight of a
> Depth/Offset, etc.. being a False Positive or User-specific tuning?
> 
> ----- snip ------
> 
> alert UDP $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing
> community string attempt";  content:"|04 00|"; depth:15;
> offset:5;reference:bugtraq,2112; reference:cve,1999-0517;
> classtype:misc-attack; sid:1893; rev:4;)
> 
> 
> ---- example packet -----
> 
> 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
> 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
> 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........
> 

Erm, call me crazy, but that packet should not have matched that rule, if the
rule is working correctly. (of course, my brain may be off too, I've not done a
lot of snorting lately)

Note that the rule should fire if "04 00" is found within a range from bytes
5-20 (starting with offset 5, and a maximum depth of 15 bytes from 5).. In this
case, 04 00 is found  at bytes 25&26.

The rule shouldn't match.




More information about the Snort-sigs mailing list