[Snort-sigs] SNMP Missing Community String Signature FP

Nigel Houghton nigel at ...435...
Mon Jul 10 19:28:30 EDT 2006


On  0, Eric Hines <eric.hines at ...1663...> wrote:
> Hi Blake,
> 
> Thanks for your insight. Actually. the packet was provided from Snort. I 
> cut the IP header for security reasons. What you are looking at is 
> starting from the first byte of the payload.
> 
> In speaking to a few others, we're noticing offset is being used after 
> depth instead of before, does the order matter? It looks as if the 
> contributor(s) for the rule are Brian, Nigel/Sourcefire Research Team.
> 
> Can anyone from Sourcefire VRT explain whats happening with this rule 
> and why its firing on these packets despite the depth/offset options?
 
Apologies for not replying sooner, I just got most of this thread in one
fell swoop (not sure I actually have the whole thing yet, I still don't
see the original message).

I suspect you are also looking at the UDP header in the packet, don't
forget that Snort knows about this and starts it's detection after the
UDP header. The packet display from Snort will show you the whole thing.

Anyway, not a lot more I can say without seeing the packets causing the
event to occur.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




More information about the Snort-sigs mailing list