Re: [Snort-sigs] Lot of FP with 2002926

It looks like in order to stop these legitimate false positives, the src 
port must be enforced. Revision 2 is available.

alert udp any !161 -> $HOME_NET 49152 ...

Of course this lends itself to evasion, but I think it is necessary to 
avoid these cases.

-Blake





Chich Thierry wrote:

> 2002926 : BLEEDING-EDGE SNMP Cisco Non-Trap PDU request on SNMPv1 random port
>
> I have a lot of FP with this rule. I don't understand exactly why, but it 
> seems that this signature is found in standard snmp v1  responses.
>
>
> alert udp any any -> $HOME_NET 49152: (msg:"BLEEDING-EDGE SNMP Cisco Non-Trap 
> PDU request on SNMPv1 random port"; content:"|02 01 00|"; distance:2; 
> within:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; 
> reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; 
> sid:2002926; rev:1; )
>
> For instance :
>
> 09:20:05.999462 IP 10.115.109.246.161 > 172.30.92.192.59407:  
> GetResponse(32)  .1.3.6.1.2.1.1.3.0=54841443
>        0x0000:  4500 004b c8b8 4000 3e11 f2a1 0a73 6df6  E..K..@.>....sm.
>        0x0010:  ac1e 5cc0 00a1 e80f 0037 4ca7 302d 0201  ..\......7L.0-..
>        0x0020:  0004 0670 7562 6c69 63a2 2002 046b a0b2  ...public....k..
>        0x0030:  2302 0100 0201 0030 1230 1006 082b 0601  #......0.0...+..
>        0x0040:  0201 0103 0043 0403 44d0 63              .....C..D.c
> 09:20:06.035558 IP 10.115.103.246.161 > 172.30.92.192.59408:  
> GetResponse(32)  .1.3.6.1.2.1.1.3.0=37438882
>        0x0000:  4500 004b f27b 4000 3e11 cede 0a73 67f6  E..K.{@.>....sg.
>        0x0010:  ac1e 5cc0 00a1 e810 0037 1b32 302d 0201  ..\......7.20-..
>        0x0020:  0004 0670 7562 6c69 63a2 2002 046b a0b2  ...public....k..
>        0x0030:  2502 0100 0201 0030 1230 1006 082b 0601  %......0.0...+..
>        0x0040:  0201 0103 0043 0402 3b45 a2              .....C..;E.
>
> Couldn't we rewrite this rule as :
> alert udp any !161 -> $HOME_NET 49152: (msg:"BLEEDING-EDGE SNMP Cisco 
> Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; 
> distance:2; within:3; byte_test:1,>,159,8,relative; 
> byte_test:1,<,164,8,relative; reference:cve,2004-0714; 
> reference:bugtraq,10186; classtype:attempted-dos; sid:2002926; rev:1; )
>
> ?
>
>
> Thierry
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  


--
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately.  Demarc Security, Inc. does not accept 
liability for the views expressed in the email or for the consequences of any 
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs