[Snort-sigs] Sid 1893 FP

Jon Hart jhart at ...288...
Fri Jun 16 12:30:40 EDT 2006


This is the sig to detect SNMP traffic with missing community strings.
I have this one FP every so often.  Here is a pcap showing the original
payload (with obfusacated src/dst ip).

I'm not clear why it is even triggering... unless I'm blind, at offset
15 the bytes are '04 05', not '04 00'.

Thoughts?

-jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snmp.pcap
Type: application/octet-stream
Size: 127 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060616/1273ae8d/attachment.obj>


More information about the Snort-sigs mailing list