[Snort-sigs] SNMP Missing Community String Signature FP

Matt Kettler mkettler at ...189...
Mon Jul 10 19:50:49 EDT 2006


Eric Hines wrote:
> Nigel,
> 
> Packet pasted below starting from UDP Header. You are correct, as Jon
> pointed out, the 5 byte offset was starting from the UDP header instead
> of the Payload.
> 
> But it still begs to ask as to why the rule is firing when the payload
> does in fact contain the public community string. Why search for |04 00|
> ? What would the |04 00| be indicative of if the payload does contain
> the community string?

That's the terminating sequence for the community string. (End-of-text NUL)

I think the theory is to look for a community string that is just a terminator.

Apparently the theory doesn't work so well in this case.







More information about the Snort-sigs mailing list