[Snort-sigs] SNMP Missing Community String Signature FP

Eric Hines eric.hines at ...1663...
Mon Jul 10 19:11:14 EDT 2006


Hi Blake,

Thanks for your insight. Actually. the packet was provided from Snort. I 
cut the IP header for security reasons. What you are looking at is 
starting from the first byte of the payload.

In speaking to a few others, we're noticing offset is being used after 
depth instead of before, does the order matter? It looks as if the 
contributor(s) for the rule are Brian, Nigel/Sourcefire Research Team.

Can anyone from Sourcefire VRT explain whats happening with this rule 
and why its firing on these packets despite the depth/offset options?

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


--------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

--------------------------------------------------

Email:   eric.hines at ...1663...
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
          60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

--------------------------------------------------
Security Management for the Open Source Enterprise





Blake Hartstein wrote:
> Eric,
> Where exactly did you get that packet? (tcpdump format?)
> 
> If so, chances are you are seeing the headers and the start of the 
> payload starts later in the packet, which is my initial guess, send me a 
> pcap and I would be happy to analyze it for you.
> 
> -Blake
> 
> 
> 
> 
> Eric Hines wrote:
>> All:
>>
>> Please ignore the initial explanation in this first email. I'm trying 
>> to understand why Snort is firing on these packets when |04 00| is 
>> outside the 15 byte depth, starting counting from the 5th byte offset. 
>> Is the rule written wrong?
>>
>> Best Regards,
>>
>> Eric S. Hines, GCIA, CISSP
>> CEO, President, Chairman
>> Applied Watch Technologies, LLC
>>
>>
>> --------------------------------------------------
>>
>> Eric S. Hines, GCIA, CISSP
>> CEO, President, Chairman
>> Applied Watch Technologies, LLC
>>
>> --------------------------------------------------
>>
>> Email:   eric.hines at ...1663...
>> Address: 1095 Pingree Road
>>          Suite 213
>>          Crystal Lake, IL
>>          60014
>> Tel:     (877) 262-7593 ext:327
>> Local:   (847) 854-5831
>> Fax:     (847) 854-5106
>> Web:     http://www.appliedwatch.com
>>
>> --------------------------------------------------
>> Security Management for the Open Source Enterprise
>>
>>
>>
>>
>>
>> Eric Hines wrote:
>>> All:
>>>
>>> SID #: 1893 (SNMP missing community string attempt) sets a depth max 
>>> of 15 bytes. This signature is improperly firing on several of our 
>>> networks as a lot of different devices will set the community string 
>>> deeper than 15 bytes.
>>>
>>> Is this happening frequently enough for everyone else out there to 
>>> propose a modification to this rule to have the depth increased or 
>>> eliminated, or do you guys consider this to be a local tuning 
>>> responsibility of the administrator?
>>>
>>> Has anyone else had this problem?
>>>
>>> Snort Team: Should we submit this using the Snort signature template 
>>> for submitting False Positives? All 50,000 alerts in one day for this 
>>> signature were FPs :)
>>>
>>> Where do we draw the line on a signature using too tight of a 
>>> Depth/Offset, etc.. being a False Positive or User-specific tuning?
>>>
>>> ----- snip ------
>>>
>>> alert UDP $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing 
>>> community string attempt";  content:"|04 00|"; depth:15; 
>>> offset:5;reference:bugtraq,2112; reference:cve,1999-0517; 
>>> classtype:misc-attack; sid:1893; rev:4;)
>>>
>>>
>>> ---- example packet -----
>>>
>>> 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
>>> 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
>>> 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........
>>>
>>>
>>>
>>> ------------------------------------------------------------------------- 
>>>
>>> Using Tomcat but need to do more? Need to support web services, 
>>> security?
>>> Get stuff done quickly with pre-integrated technology to make your 
>>> job easier
>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache 
>>> Geronimo
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> ------------------------------------------------------------------------
>>
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>   
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>   
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/7900319e/attachment.vcf>


More information about the Snort-sigs mailing list