[Snort-sigs] Lot of FP with 2002926

Chich Thierry thierry.chich at ...2579...
Fri May 26 02:24:13 EDT 2006


 2002926 : BLEEDING-EDGE SNMP Cisco Non-Trap PDU request on SNMPv1 random port

I have a lot of FP with this rule. I don't understand exactly why, but it 
seems that this signature is found in standard snmp v1  responses.


alert udp any any -> $HOME_NET 49152: (msg:"BLEEDING-EDGE SNMP Cisco Non-Trap 
PDU request on SNMPv1 random port"; content:"|02 01 00|"; distance:2; 
within:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; 
reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; 
sid:2002926; rev:1; )

For instance :

09:20:05.999462 IP 10.115.109.246.161 > 172.30.92.192.59407:  
GetResponse(32)  .1.3.6.1.2.1.1.3.0=54841443
        0x0000:  4500 004b c8b8 4000 3e11 f2a1 0a73 6df6  E..K.. at ...180...>....sm.
        0x0010:  ac1e 5cc0 00a1 e80f 0037 4ca7 302d 0201  ..\......7L.0-..
        0x0020:  0004 0670 7562 6c69 63a2 2002 046b a0b2  ...public....k..
        0x0030:  2302 0100 0201 0030 1230 1006 082b 0601  #......0.0...+..
        0x0040:  0201 0103 0043 0403 44d0 63              .....C..D.c
09:20:06.035558 IP 10.115.103.246.161 > 172.30.92.192.59408:  
GetResponse(32)  .1.3.6.1.2.1.1.3.0=37438882
        0x0000:  4500 004b f27b 4000 3e11 cede 0a73 67f6  E..K.{@.>....sg.
        0x0010:  ac1e 5cc0 00a1 e810 0037 1b32 302d 0201  ..\......7.20-..
        0x0020:  0004 0670 7562 6c69 63a2 2002 046b a0b2  ...public....k..
        0x0030:  2502 0100 0201 0030 1230 1006 082b 0601  %......0.0...+..
        0x0040:  0201 0103 0043 0402 3b45 a2              .....C..;E.

Couldn't we rewrite this rule as :
 alert udp any !161 -> $HOME_NET 49152: (msg:"BLEEDING-EDGE SNMP Cisco 
Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; 
distance:2; within:3; byte_test:1,>,159,8,relative; 
byte_test:1,<,164,8,relative; reference:cve,2004-0714; 
reference:bugtraq,10186; classtype:attempted-dos; sid:2002926; rev:1; )

?


Thierry




More information about the Snort-sigs mailing list