Nigel,
Packet pasted below starting from UDP Header. You are correct, as Jon
pointed out, the 5 byte offset was starting from the UDP header instead
of the Payload.
But it still begs to ask as to why the rule is firing when the payload
does in fact contain the public community string. Why search for |04 00|
? What would the |04 00| be indicative of if the payload does contain
the community string?
0fdd 00a1 0033 d483 3029 0201 0004 0670 .......3..0).....p
7562 6c69 63a0 1c02 0400 a063 f602 0100 0201 ublic......c......
0030 0e30 0c06 082b 0601 0201 0103 0005 00 .0.0...+.........
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eric.hines@appliedwatch.com
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
Nigel Houghton wrote:
On 0, Eric Hines <eric.hines@appliedwatch.com> wrote:
Hi Blake,
Thanks for your insight. Actually. the packet was provided from Snort. I
cut the IP header for security reasons. What you are looking at is
starting from the first byte of the payload.
In speaking to a few others, we're noticing offset is being used after
depth instead of before, does the order matter? It looks as if the
contributor(s) for the rule are Brian, Nigel/Sourcefire Research Team.
Can anyone from Sourcefire VRT explain whats happening with this rule
and why its firing on these packets despite the depth/offset options?
Apologies for not replying sooner, I just got most of this thread in one
fell swoop (not sure I actually have the whole thing yet, I still don't
see the original message).
I suspect you are also looking at the UDP header in the packet, don't
forget that Snort knows about this and starts it's detection after the
UDP header. The packet display from Snort will show you the whole thing.
Anyway, not a lot more I can say without seeing the packets causing the
event to occur.
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
There is no theory of evolution, just a list
of creatures Vin Diesel allows to live.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
eric.hines.vcf
Description: Vcard
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
