On 0, Eric Hines <eric.hines@appliedwatch.com> wrote:
Matt, agreed.
Nigel, Shall I fill out the False Positive submission form on the
snort.org site for this issue?
If you can send some details that would be great yes. Thanks.
Matt Kettler wrote:
Eric Hines wrote:
Nigel,
Packet pasted below starting from UDP Header. You are correct, as Jon
pointed out, the 5 byte offset was starting from the UDP header instead
of the Payload.
But it still begs to ask as to why the rule is firing when the payload
does in fact contain the public community string. Why search for |04 00|
? What would the |04 00| be indicative of if the payload does contain
the community string?
That's the terminating sequence for the community string. (End-of-text
NUL)
ok.
I think the theory is to look for a community string that is just a
terminator.
Apparently the theory doesn't work so well in this case.
Heh, I guess not :)
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
There is no theory of evolution, just a list
of creatures Vin Diesel allows to live.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
