[Snort-sigs] SNMP Missing Community String Signature FP

Nigel Houghton nigel at ...435...
Mon Jul 10 20:23:53 EDT 2006

On  0, Eric Hines <eric.hines at ...1663...> wrote:
> Nigel,
> Packet pasted below starting from UDP Header. You are correct, as Jon 
> pointed out, the 5 byte offset was starting from the UDP header instead 
> of the Payload.
> But it still begs to ask as to why the rule is firing when the payload 
> does in fact contain the public community string. Why search for |04 00| 
> ? What would the |04 00| be indicative of if the payload does contain 
> the community string?
> 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
> 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
> 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........

Well, the community string should be followed by an SNMP PDU which
contains the type of pdu, request-id, some error stuff and other things.

In versions of NT 4 it was possible to use the public community string,
(or any known community, but public was default) to connect and access
functions. Up to a service pack release that fixed the issue, it was not
possible to make the community read only, it was always read/write and
thus, if accessible, it was possible to do whatever you wanted using

I think the "04 00" indicates the termination of data. There is a "a0 1c" 
right after the "public" in this case, which IIRC means "get". So the
"termination" (for want of a better word) bytes seem to be in the ID
field in this case.

(I could be wrong about the get thing, but right after the request type
should be a request-id)

     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.

More information about the Snort-sigs mailing list