[Snort-sigs] SNMP Missing Community String Signature FP

Eric Hines eric.hines at ...1663...
Mon Jul 10 19:33:22 EDT 2006


Packet pasted below starting from UDP Header. You are correct, as Jon 
pointed out, the 5 byte offset was starting from the UDP header instead 
of the Payload.

But it still begs to ask as to why the rule is firing when the payload 
does in fact contain the public community string. Why search for |04 00| 
? What would the |04 00| be indicative of if the payload does contain 
the community string?

0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


Email:   eric.hines at ...1663...
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

Security Management for the Open Source Enterprise

Nigel Houghton wrote:
> On  0, Eric Hines <eric.hines at ...1663...> wrote:
>> Hi Blake,
>> Thanks for your insight. Actually. the packet was provided from Snort. I 
>> cut the IP header for security reasons. What you are looking at is 
>> starting from the first byte of the payload.
>> In speaking to a few others, we're noticing offset is being used after 
>> depth instead of before, does the order matter? It looks as if the 
>> contributor(s) for the rule are Brian, Nigel/Sourcefire Research Team.
>> Can anyone from Sourcefire VRT explain whats happening with this rule 
>> and why its firing on these packets despite the depth/offset options?
> Apologies for not replying sooner, I just got most of this thread in one
> fell swoop (not sure I actually have the whole thing yet, I still don't
> see the original message).
> I suspect you are also looking at the UDP header in the packet, don't
> forget that Snort knows about this and starts it's detection after the
> UDP header. The packet display from Snort will show you the whole thing.
> Anyway, not a lot more I can say without seeing the packets causing the
> event to occur.
> +--------------------------------------------------------------------+
>      Nigel Houghton      Research Engineer       Sourcefire Inc.
>                    Vulnerability Research Team
>          There is no theory of evolution, just a list
>             of creatures Vin Diesel allows to live.
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/68f059e0/attachment.vcf>

More information about the Snort-sigs mailing list