[Snort-sigs] SNMP Missing Community String Signature FP
mkettler at ...189...
Mon Jul 10 19:50:49 EDT 2006
Eric Hines wrote:
> Packet pasted below starting from UDP Header. You are correct, as Jon
> pointed out, the 5 byte offset was starting from the UDP header instead
> of the Payload.
> But it still begs to ask as to why the rule is firing when the payload
> does in fact contain the public community string. Why search for |04 00|
> ? What would the |04 00| be indicative of if the payload does contain
> the community string?
That's the terminating sequence for the community string. (End-of-text NUL)
I think the theory is to look for a community string that is just a terminator.
Apparently the theory doesn't work so well in this case.
More information about the Snort-sigs