[Snort-sigs] False positive/Rule change for SID 1893?

David Glenn davidrglenn at ...2420...
Thu Nov 9 17:24:00 EST 2006


Greetings,

I am running a 4 sensor snort site (versions 2.6 and 2.4), and believe that
there is an error in the
snmp rule for SID 1893 (SNMP missing community string).

I've been getting alerts, that upon examination look like false positives.
Here is an example:

*Sample Data:*

length = 90

000 : 30 58 02 01 00 04 07 68 6F 73 74 69 6E 67 A0 4A   0X.....hosting.J

010 : 02 *04 00* E0 7A 20 02 01 00 02 01 00 30 3C 30 0E   ....z ......0<0.

020 : 06 0A 2B 06 01 02 01 02 02 01 0A 02 05 00 30 0E   ..+...........0.

030 : 06 0A 2B 06 01 02 01 02 02 01 10 02 05 00 30 0C   ..+...........0.

040 : 06 08 2B 06 01 02 01 01 03 00 05 00 30 0C 06 08   ..+.........0...

050 : 2B 06 01 02 01 01 05 00 05 00                     +.........


There is a valid community string within the proper place in the SNMP msg
header, but snort thinks otherwise...


>From the snort rules:

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community
string attempt"; content:"|04 00|"; depth:15; offset:5;
reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack;
sid:1893; rev:4;)


My thought is that the "Depth:15" should be "Depth:6" instead?  I have
implemented this rule change on 1 of my sensors, and am waiting to see if
that fixes it.


Thank you for your help or advice,
David Glenn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20061109/eb366aa6/attachment.html>


More information about the Snort-sigs mailing list