Re: [Snort-sigs] SNMP Missing Community String Signature FP

Eric,
Where exactly did you get that packet? (tcpdump format?)

If so, chances are you are seeing the headers and the start of the 
payload starts later in the packet, which is my initial guess, send me a 
pcap and I would be happy to analyze it for you.

-Blake




Eric Hines wrote:
> All:
>
> Please ignore the initial explanation in this first email. I'm trying 
> to understand why Snort is firing on these packets when |04 00| is 
> outside the 15 byte depth, starting counting from the 5th byte offset. 
> Is the rule written wrong?
>
> Best Regards,
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
>
> --------------------------------------------------
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
> --------------------------------------------------
>
> Email:   eric.hines@appliedwatch.com
> Address: 1095 Pingree Road
>          Suite 213
>          Crystal Lake, IL
>          60014
> Tel:     (877) 262-7593 ext:327
> Local:   (847) 854-5831
> Fax:     (847) 854-5106
> Web:     http://www.appliedwatch.com
>
> --------------------------------------------------
> Security Management for the Open Source Enterprise
>
>
>
>
>
> Eric Hines wrote:
> > All:
> >
> > SID #: 1893 (SNMP missing community string attempt) sets a depth max 
> > of 15 bytes. This signature is improperly firing on several of our 
> > networks as a lot of different devices will set the community string 
> > deeper than 15 bytes.
> >
> > Is this happening frequently enough for everyone else out there to 
> > propose a modification to this rule to have the depth increased or 
> > eliminated, or do you guys consider this to be a local tuning 
> > responsibility of the administrator?
> >
> > Has anyone else had this problem?
> >
> > Snort Team: Should we submit this using the Snort signature template 
> > for submitting False Positives? All 50,000 alerts in one day for this 
> > signature were FPs :)
> >
> > Where do we draw the line on a signature using too tight of a 
> > Depth/Offset, etc.. being a False Positive or User-specific tuning?
> >
> > ----- snip ------
> >
> > alert UDP $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing 
> > community string attempt";  content:"|04 00|"; depth:15; 
> > offset:5;reference:bugtraq,2112; reference:cve,1999-0517; 
> > classtype:misc-attack; sid:1893; rev:4;)
> >
> >
> > ---- example packet -----
> >
> > 0fdd 00a1 0033 d483 3029 0201 0004 0670         .......3..0).....p
> > 7562 6c69 63a0 1c02 0400 a063 f602 0100 0201    ublic......c......
> > 0030 0e30 0c06 082b 0601 0201 0103 0005 00      .0.0...+.........
> >
> >
> >
> > ------------------------------------------------------------------------- 
> >
> > Using Tomcat but need to do more? Need to support web services, 
> > security?
> > Get stuff done quickly with pre-integrated technology to make your 
> > job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache 
> > Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> ------------------------------------------------------------------------
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   


-- 
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately.  Demarc Security, Inc. does not accept 
liability for the views expressed in the email or for the consequences of any 
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs