'[Snort-sigs] Re: [Snort-devel] False SNMP missing community string alerts'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Re: [Snort-devel] False SNMP missing community string alerts
From:       "Daniel J. Roelker" <droelker () sourcefire ! com>
Date:       2003-11-19 14:58:37
[Download RAW message or body]

Thanks for pointing this out John.  The false positive occurs because
the offset is 5 and the content must occur within 15 bytes of the offset
(the depth keyword).  So in this packet, you see the |04 00| within 15
bytes of the offset (it's at the beginning of the second line).

This rule needs to be enhanced to weed out these types of false
positives.  I think that decreasing the depth value would help, but I
think this rule should be revisited in more depth.

If Brian can't get a chance to look at this, then I will.  Thanks again,
John.

Dan

On Tue, 2003-11-18 at 15:50, John Wehle wrote:
> The following shows up from time to time in my logs:
> 
> [**] SNMP missing community string attempt [**]
> 11/18-14:46:39.480171 192.251.93.6:41142 -> 192.251.93.7:161
> UDP TTL:255 TOS:0x0 ID:30520 IpLen:20 DgmLen:73 DF
> Len: 45
> 30 2B 02 01 01 04 06 70 75 62 6C 69 63 A1 1E 02  0+.....public...
> 04 00 C0 C4 27 02 01 00 02 01 00 30 10 30 0E 06  ....'......0.0..
> 0A 2B 06 01 02 01 19 04 02 01 04 05 00           .+...........
> 
> appearently due to:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string \
> attempt"; content:"|04 00|"; offset:5; depth:15; reference:cve,CAN-1999-0517; \
> classtype:misc-attack; sid:1893; rev:1;) 
> being triggered.  As I understanded it the rule says trigger if starting
> at offset 5 the sequence 04 00 is present, the packet dump shows the sequence
> starting at offset 5 as 04 06 in which case the rule shouldn't have triggered.
> 
> Particulars:
> 
> System Architecture:          x86
> Operating System and version: Solaris 8
> Version of Snort:             2.0.4
> Configuration:                Stock snort.conf with HOME_NET defined as
> 192.251.93.0/24
> Command line switches:        -d -c snort.conf
> 
> The rule doesn't trigger all the time ... just sometimes even though
> 192.251.93.6 polls 192.251.93.7 every five minutes.
> 
> -- John
> -------------------------------------------------------------------------
> > Feith Systems  |   Voice: 1-215-646-8000  |  Email: john@feith.com  |
> > John Wehle    |     Fax: 1-215-540-5495  |                         |
> -------------------------------------------------------------------------
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic