[Snort-sigs] SNMP Missing Community String Signature FP

Eric Hines eric.hines at ...1663...
Mon Jul 10 18:22:53 EDT 2006


Odd, it is.. and yeah, you're right. Ive got over 50,000 alerts for this 
rule and the same type of packet.

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


--------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

--------------------------------------------------

Email:   eric.hines at ...1663...
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
          60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

--------------------------------------------------
Security Management for the Open Source Enterprise





Matt Kettler wrote:
> Eric Hines wrote:
>> All:
>>
>> SID #: 1893 (SNMP missing community string attempt) sets a depth max of
>> 15 bytes. This signature is improperly firing on several of our networks
>> as a lot of different devices will set the community string deeper than
>> 15 bytes.
>>
>> Is this happening frequently enough for everyone else out there to
>> propose a modification to this rule to have the depth increased or
>> eliminated, or do you guys consider this to be a local tuning
>> responsibility of the administrator?
>>
>> Has anyone else had this problem?
>>
>> Snort Team: Should we submit this using the Snort signature template for
>> submitting False Positives? All 50,000 alerts in one day for this
>> signature were FPs :)
>>
>> Where do we draw the line on a signature using too tight of a
>> Depth/Offset, etc.. being a False Positive or User-specific tuning?
>>
>> ----- snip ------
>>
>> alert UDP $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing
>> community string attempt";  content:"|04 00|"; depth:15;
>> offset:5;reference:bugtraq,2112; reference:cve,1999-0517;
>> classtype:misc-attack; sid:1893; rev:4;)
>>
>>
>> ---- example packet -----
>>
>> 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
>> 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
>> 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........
>>
> 
> Erm, call me crazy, but that packet should not have matched that rule, if the
> rule is working correctly. (of course, my brain may be off too, I've not done a
> lot of snorting lately)
> 
> Note that the rule should fire if "04 00" is found within a range from bytes
> 5-20 (starting with offset 5, and a maximum depth of 15 bytes from 5).. In this
> case, 04 00 is found  at bytes 25&26.
> 
> The rule shouldn't match.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/244e6003/attachment.vcf>


More information about the Snort-sigs mailing list