[Snort-sigs] SNMP Missing Community String Signature FP

Nigel Houghton nigel at ...435...
Mon Jul 10 20:27:13 EDT 2006


On  0, Eric Hines <eric.hines at ...1663...> wrote:
> Matt, agreed.
> 
> Nigel, Shall I fill out the False Positive submission form on the 
> snort.org site for this issue?
 
If you can send some details that would be great yes. Thanks. 
 
> Matt Kettler wrote:
> >Eric Hines wrote:
> >>Nigel,
> >>
> >>Packet pasted below starting from UDP Header. You are correct, as Jon
> >>pointed out, the 5 byte offset was starting from the UDP header instead
> >>of the Payload.
> >>
> >>But it still begs to ask as to why the rule is firing when the payload
> >>does in fact contain the public community string. Why search for |04 00|
> >>? What would the |04 00| be indicative of if the payload does contain
> >>the community string?
> >
> >That's the terminating sequence for the community string. (End-of-text 
> >NUL)

ok.

> >I think the theory is to look for a community string that is just a 
> >terminator.
> >
> >Apparently the theory doesn't work so well in this case.

Heh, I guess not :)

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




More information about the Snort-sigs mailing list