Hi Blake,
Thanks for your insight. Actually. the packet was provided from Snort. I
cut the IP header for security reasons. What you are looking at is
starting from the first byte of the payload.
In speaking to a few others, we're noticing offset is being used after
depth instead of before, does the order matter? It looks as if the
contributor(s) for the rule are Brian, Nigel/Sourcefire Research Team.
Can anyone from Sourcefire VRT explain whats happening with this rule
and why its firing on these packets despite the depth/offset options?
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eric.hines@appliedwatch.com
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
Blake Hartstein wrote:
Eric,
Where exactly did you get that packet? (tcpdump format?)
If so, chances are you are seeing the headers and the start of the
payload starts later in the packet, which is my initial guess, send me a
pcap and I would be happy to analyze it for you.
-Blake
Eric Hines wrote:
All:
Please ignore the initial explanation in this first email. I'm trying
to understand why Snort is firing on these packets when |04 00| is
outside the 15 byte depth, starting counting from the 5th byte offset.
Is the rule written wrong?
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eric.hines@appliedwatch.com
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
Eric Hines wrote:
All:
SID #: 1893 (SNMP missing community string attempt) sets a depth max
of 15 bytes. This signature is improperly firing on several of our
networks as a lot of different devices will set the community string
deeper than 15 bytes.
Is this happening frequently enough for everyone else out there to
propose a modification to this rule to have the depth increased or
eliminated, or do you guys consider this to be a local tuning
responsibility of the administrator?
Has anyone else had this problem?
Snort Team: Should we submit this using the Snort signature template
for submitting False Positives? All 50,000 alerts in one day for this
signature were FPs :)
Where do we draw the line on a signature using too tight of a
Depth/Offset, etc.. being a False Positive or User-specific tuning?
----- snip ------
alert UDP $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing
community string attempt"; content:"|04 00|"; depth:15;
offset:5;reference:bugtraq,2112; reference:cve,1999-0517;
classtype:misc-attack; sid:1893; rev:4;)
---- example packet -----
0fdd 00a1 0033 d483 3029 0201 0004 0670 .......3..0).....p
7562 6c69 63a0 1c02 0400 a063 f602 0100 0201 ublic......c......
0030 0e30 0c06 082b 0601 0201 0103 0005 00 .0.0...+.........
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your
job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
eric.hines.vcf
Description: Vcard
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
