Snort mailing list archives
SNMP missing community string attempt
From: "Alan Barnes" <abarnes () bulletmail net>
Date: Mon, 14 Jun 2004 23:58:24 -0500
All, I am new to snort. Please forgive me if I do not provide all the necessary info. I will do my best. I am running cacti (http://www.raxnet.net/products/cacti/) version 8.5 Cacti is a product that provides a complete frontend to the RRDTool product, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG. As you can see the the community name is mentioned. Why am I getting a false positive? Thank you in advance for any help. SNMP missing community string attempt misc-attack 6 <http://snort.bulletmail.net/acid_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1% 5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <http://snort.bulletmail.net/acid_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D= 2&sig_type=1> 1 <http://snort.bulletmail.net/acid_stat_uaddr.php?addr_type=1&sig_type=1&sig% 5B0%5D=%3D&sig%5B1%5D=2> 3 <http://snort.bulletmail.net/acid_stat_uaddr.php?addr_type=2&sig_type=1&sig% 5B0%5D=%3D&sig%5B1%5D=2> 2004-06-14 <http://snort.bulletmail.net/acid_qry_alert.php?submit=%230-%281-116250%29> 23:23:05 2004-06-15 <http://snort.bulletmail.net/acid_qry_alert.php?submit=%235-%281-118632%29> 00:01:05 ID # Time Triggered Signature 1 - 118632 2004-06-15 00:01:05 [ <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517> cve][ <http://icat.nist.gov/icat.cfm?cvename=CAN-1999-0517> icat][snort <http://www.snort.org/snort-db/sid.html?sid=1893> ] SNMP missing community string attempt Sensor name interface filter 192.168.1.5 eth0 none Alert Group none IP source addr dest addr Ver Hdr Len TOS length ID flags offset TTL chksum 192.168.1.5 <http://snort.bulletmail.net/acid_stat_ipaddr.php?ip=192.168.1.5&netmask=32> 192.168.1.4 <http://snort.bulletmail.net/acid_stat_ipaddr.php?ip=192.168.1.4&netmask=32> 4 5 0 74 0 0 0 64 46921 FQDN Source Name Dest. Name mail.bulletmail.net seattle.bulletmail.net Options none UDP source port dest port length 32820 <http://www.snort.org/ports.html?port=32820> 161 <http://www.snort.org/ports.html?port=161> 54 Payload length = 46 000 : 30 2C 02 01 01 04 06 73 65 63 72 65 74 A0 1F 02 0,.....secret... 010 : 04 00 AD DF 34 02 01 00 02 01 00 30 11 30 0F 06 ....4......0.0.. 020 : 0B 2B 06 01 02 01 19 02 03 01 06 05 05 00 .+............ Particulars: System Architecture: x86 Operating System and version: linux Redhat 9.0 Version of Snort: snort-2.1.3 Configuration: Stock snort.conf with HOME_NET defined as 192.168.1.0/24 The rule triggers all the time and on each server at each run time. Can someone please help?
Current thread:
- SNMP missing community string attempt Alan Barnes (Jun 15)