Yep, nice call. I forgot about the UDP header, I was counting the
protocol header when starting my offset counting.
Thanks everyone.
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eric.hines@appliedwatch.com
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
Jon Hart wrote:
On Mon, Jul 10, 2006 at 06:11:14PM -0500, Eric Hines wrote:
---- example packet -----
0fdd 00a1 0033 d483 3029 0201 0004 0670 .......3..0).....p
7562 6c69 63a0 1c02 0400 a063 f602 0100 0201 ublic......c......
0030 0e30 0c06 082b 0601 0201 0103 0005 00 .0.0...+.........
This could be either a Snort bug, or a mistype/mispaste/misunderstanding
on your part. '0fdd' == 4061 and '00a1' == 161, which are your source
and destination ports, respectively. The SNMP payload starts at bytes
'3029'. From there, the depth/offset stuff starts to make sense.
-jon
eric.hines.vcf
Description: Vcard
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
