[Snort-sigs] SNMP Missing Community String Signature FP

Frank Knobbe frank at ...1978...
Mon Jul 10 19:20:58 EDT 2006


On Mon, 2006-07-10 at 18:15 -0400, Matt Kettler wrote:
> > 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
> > 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
> > 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........
> > 
> 
> Erm, call me crazy, but that packet should not have matched that rule, if the
> rule is working correctly. (of course, my brain may be off too, I've not done a
> lot of snorting lately)
> 
> Note that the rule should fire if "04 00" is found within a range from bytes
> 5-20 (starting with offset 5, and a maximum depth of 15 bytes from 5).. In this
> case, 04 00 is found  at bytes 25&26.

No, I think there are too many bytes preceding this packet. I just
glanced at a couple SNMP packets and they start with |30 2c 02 01 00 04
06 70 |. It appears that "0fdd 00a1 0033 d483" are erroneously listed,
perhaps being IP options? Then the |04 00| would indeed occur at
position 17 & 18, falling right in 5-20 where Snort would alert on.

Looks like the data display is flawed in that it displays part of the IP
option header as data. What software produced this output?

Regards,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/afc594a5/attachment.sig>


More information about the Snort-sigs mailing list