Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SNMP missing community string attempt

From: "Alan Barnes" <abarnes () bulletmail net>
Date: Mon, 14 Jun 2004 23:58:24 -0500
All,
 
I am new to snort. Please forgive me if I do not provide all the necessary
info. I will do my best. 
 
I am running cacti (http://www.raxnet.net/products/cacti/) version 8.5
 
Cacti is a product that provides a complete frontend to the RRDTool product,
it stores all of the necessary information to create graphs and populate
them with data in a MySQL database. The frontend is completely PHP driven.
Along with being able to maintain Graphs, Data Sources, and Round Robin
Archives in a database, cacti handles the data gathering. There is also SNMP
support for those used to creating traffic graphs with MRTG.
 
As you can see the the community name is mentioned. Why am I getting a false
positive? Thank you in advance for any help.
 
 

SNMP missing community string attempt    
   misc-attack    
   6
<http://snort.bulletmail.net/acid_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%
5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1>  (0%)    
   1
<http://snort.bulletmail.net/acid_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=
2&sig_type=1>     
   1
<http://snort.bulletmail.net/acid_stat_uaddr.php?addr_type=1&sig_type=1&sig%
5B0%5D=%3D&sig%5B1%5D=2>     
   3
<http://snort.bulletmail.net/acid_stat_uaddr.php?addr_type=2&sig_type=1&sig%
5B0%5D=%3D&sig%5B1%5D=2>     
   2004-06-14
<http://snort.bulletmail.net/acid_qry_alert.php?submit=%230-%281-116250%29>
23:23:05    
   2004-06-15
<http://snort.bulletmail.net/acid_qry_alert.php?submit=%235-%281-118632%29>
00:01:05    
 


ID #
Time
Triggered Signature

1 - 118632
2004-06-15 00:01:05
[ <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517> cve][
<http://icat.nist.gov/icat.cfm?cvename=CAN-1999-0517> icat][snort
<http://www.snort.org/snort-db/sid.html?sid=1893> ] SNMP missing community
string attempt


Sensor
name
interface
filter

192.168.1.5
eth0
 none 


Alert
Group
  none 
 

IP 

source addr
  dest addr  
Ver
Hdr Len
TOS
length
ID
flags
offset
TTL
chksum

192.168.1.5
<http://snort.bulletmail.net/acid_stat_ipaddr.php?ip=192.168.1.5&netmask=32>

192.168.1.4
<http://snort.bulletmail.net/acid_stat_ipaddr.php?ip=192.168.1.4&netmask=32>

4
5
0
74
0
0
0
64
46921


FQDN
Source Name
Dest. Name

mail.bulletmail.net
seattle.bulletmail.net


Options
    none 
 

UDP

source port
dest port
length

32820 <http://www.snort.org/ports.html?port=32820> 
161 <http://www.snort.org/ports.html?port=161> 
54
         
        
 

Payload 
 length = 46
 
000 : 30 2C 02 01 01 04 06 73 65 63 72 65 74 A0 1F 02   0,.....secret...
010 : 04 00 AD DF 34 02 01 00 02 01 00 30 11 30 0F 06   ....4......0.0..
020 : 0B 2B 06 01 02 01 19 02 03 01 06 05 05 00         .+............
         
        
 
 
Particulars:
 
System Architecture:          x86
Operating System and version: linux Redhat 9.0
Version of Snort:             snort-2.1.3
Configuration:                Stock snort.conf with HOME_NET defined as
192.168.1.0/24
 
 
The rule triggers all the time and on each server at each run time.
 
Can someone please help?
Previous By Date Next
Previous By Thread Next

Current thread: