[Snort-sigs] SNMP Missing Community String Signature FP

Eric Hines eric.hines at ...1663...
Mon Jul 10 18:25:58 EDT 2006


The |04 00| starts at what, byte 18 from offset 5? Which is of course 
outside of the 15 byte depth. I don't understand why its firing. Can 
anyone jump in here?

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


--------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

--------------------------------------------------

Email:   eric.hines at ...1663...
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
          60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

--------------------------------------------------
Security Management for the Open Source Enterprise





Matt Kettler wrote:
> Eric Hines wrote:
>> All:
>>
>> SID #: 1893 (SNMP missing community string attempt) sets a depth max of
>> 15 bytes. This signature is improperly firing on several of our networks
>> as a lot of different devices will set the community string deeper than
>> 15 bytes.
>>
>> Is this happening frequently enough for everyone else out there to
>> propose a modification to this rule to have the depth increased or
>> eliminated, or do you guys consider this to be a local tuning
>> responsibility of the administrator?
>>
>> Has anyone else had this problem?
>>
>> Snort Team: Should we submit this using the Snort signature template for
>> submitting False Positives? All 50,000 alerts in one day for this
>> signature were FPs :)
>>
>> Where do we draw the line on a signature using too tight of a
>> Depth/Offset, etc.. being a False Positive or User-specific tuning?
>>
>> ----- snip ------
>>
>> alert UDP $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing
>> community string attempt";  content:"|04 00|"; depth:15;
>> offset:5;reference:bugtraq,2112; reference:cve,1999-0517;
>> classtype:misc-attack; sid:1893; rev:4;)
>>
>>
>> ---- example packet -----
>>
>> 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
>> 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
>> 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........
>>
> 
> Erm, call me crazy, but that packet should not have matched that rule, if the
> rule is working correctly. (of course, my brain may be off too, I've not done a
> lot of snorting lately)
> 
> Note that the rule should fire if "04 00" is found within a range from bytes
> 5-20 (starting with offset 5, and a maximum depth of 15 bytes from 5).. In this
> case, 04 00 is found  at bytes 25&26.
> 
> The rule shouldn't match.
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/2aa2d128/attachment.vcf>


More information about the Snort-sigs mailing list