[Snort-sigs] SNMP Missing Community String Signature FP

Eric Hines eric.hines at ...1663...
Mon Jul 10 19:26:47 EDT 2006


But this still begs to ask why the signature is looking for |04 00| and 
the Rule Description is: SNMP Missing Community String Attempt..

As you guys can see from the packet, the payload contains the 'public' 
community string. False Positive? If so, why look for |04 00| ?



Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


--------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

--------------------------------------------------

Email:   eric.hines at ...1663...
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
          60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

--------------------------------------------------
Security Management for the Open Source Enterprise





Frank Knobbe wrote:
> On Mon, 2006-07-10 at 18:15 -0400, Matt Kettler wrote:
>>> 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
>>> 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
>>> 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........
>>>
>> Erm, call me crazy, but that packet should not have matched that rule, if the
>> rule is working correctly. (of course, my brain may be off too, I've not done a
>> lot of snorting lately)
>>
>> Note that the rule should fire if "04 00" is found within a range from bytes
>> 5-20 (starting with offset 5, and a maximum depth of 15 bytes from 5).. In this
>> case, 04 00 is found  at bytes 25&26.
> 
> No, I think there are too many bytes preceding this packet. I just
> glanced at a couple SNMP packets and they start with |30 2c 02 01 00 04
> 06 70 |. It appears that "0fdd 00a1 0033 d483" are erroneously listed,
> perhaps being IP options? Then the |04 00| would indeed occur at
> position 17 & 18, falling right in 5-20 where Snort would alert on.
> 
> Looks like the data display is flawed in that it displays part of the IP
> option header as data. What software produced this output?
> 
> Regards,
> Frank
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/29fcb83b/attachment.vcf>


More information about the Snort-sigs mailing list