[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] Re: [Snort-devel] False SNMP missing community string alerts
From: "Daniel J. Roelker" <droelker () sourcefire ! com>
Date: 2003-11-19 14:58:37
[Download RAW message or body]
Thanks for pointing this out John. The false positive occurs because
the offset is 5 and the content must occur within 15 bytes of the offset
(the depth keyword). So in this packet, you see the |04 00| within 15
bytes of the offset (it's at the beginning of the second line).
This rule needs to be enhanced to weed out these types of false
positives. I think that decreasing the depth value would help, but I
think this rule should be revisited in more depth.
If Brian can't get a chance to look at this, then I will. Thanks again,
John.
Dan
On Tue, 2003-11-18 at 15:50, John Wehle wrote:
> The following shows up from time to time in my logs:
>
> [**] SNMP missing community string attempt [**]
> 11/18-14:46:39.480171 192.251.93.6:41142 -> 192.251.93.7:161
> UDP TTL:255 TOS:0x0 ID:30520 IpLen:20 DgmLen:73 DF
> Len: 45
> 30 2B 02 01 01 04 06 70 75 62 6C 69 63 A1 1E 02 0+.....public...
> 04 00 C0 C4 27 02 01 00 02 01 00 30 10 30 0E 06 ....'......0.0..
> 0A 2B 06 01 02 01 19 04 02 01 04 05 00 .+...........
>
> appearently due to:
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string \
> attempt"; content:"|04 00|"; offset:5; depth:15; reference:cve,CAN-1999-0517; \
> classtype:misc-attack; sid:1893; rev:1;)
> being triggered. As I understanded it the rule says trigger if starting
> at offset 5 the sequence 04 00 is present, the packet dump shows the sequence
> starting at offset 5 as 04 06 in which case the rule shouldn't have triggered.
>
> Particulars:
>
> System Architecture: x86
> Operating System and version: Solaris 8
> Version of Snort: 2.0.4
> Configuration: Stock snort.conf with HOME_NET defined as
> 192.251.93.0/24
> Command line switches: -d -c snort.conf
>
> The rule doesn't trigger all the time ... just sometimes even though
> 192.251.93.6 polls 192.251.93.7 every five minutes.
>
> -- John
> -------------------------------------------------------------------------
> > Feith Systems | Voice: 1-215-646-8000 | Email: john@feith.com |
> > John Wehle | Fax: 1-215-540-5495 | |
> -------------------------------------------------------------------------
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
--
Daniel Roelker
Software Developer
Sourcefire, Inc.
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic