Jon,
The rule is looking for |04 00| offset 5, and depth 15. Thus, it starts
looking at that offset, then stops looking once it reaches depth 15.
It just so happens that the Request Id: 0x715e0400 is causing this rule
to alert, even though a valid community string has been specified.
-Blake
Jon Hart wrote:
This is the sig to detect SNMP traffic with missing community strings.
I have this one FP every so often. Here is a pcap showing the original
payload (with obfusacated src/dst ip).
I'm not clear why it is even triggering... unless I'm blind, at offset
15 the bytes are '04 05', not '04 00'.
Thoughts?
-jon
------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
This email and any files transmitted with it are solely intended for the use of
the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete it
and destroy any copies immediately. Demarc Security, Inc. does not accept
liability for the views expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
