[Snort-sigs] SNMP Missing Community String Signature FP

Eric Hines eric.hines at ...1663...
Mon Jul 10 19:52:48 EDT 2006


Matt, agreed.

Nigel, Shall I fill out the False Positive submission form on the 
snort.org site for this issue?


Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


--------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

--------------------------------------------------

Email:   eric.hines at ...1663...
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
          60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

--------------------------------------------------
Security Management for the Open Source Enterprise





Matt Kettler wrote:
> Eric Hines wrote:
>> Nigel,
>>
>> Packet pasted below starting from UDP Header. You are correct, as Jon
>> pointed out, the 5 byte offset was starting from the UDP header instead
>> of the Payload.
>>
>> But it still begs to ask as to why the rule is firing when the payload
>> does in fact contain the public community string. Why search for |04 00|
>> ? What would the |04 00| be indicative of if the payload does contain
>> the community string?
> 
> That's the terminating sequence for the community string. (End-of-text NUL)
> 
> I think the theory is to look for a community string that is just a terminator.
> 
> Apparently the theory doesn't work so well in this case.
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060710/16c7a8fe/attachment.vcf>


More information about the Snort-sigs mailing list