Re: False Positive

At 03:47 PM 10/15/2004, Mark Buchanan wrote:
> Ok, I took a look at the packet and this is what I found.  First,
> while the offset is 5 and that is where Snort started looking, the
> depth to look was 15.  The |04 00| sequence was found at 5 (offset) +
> 13/14.  The |04 00| combination was actually found in the Request ID
> field of the packet as apposed to the Community string.

Take a second look.. This time don't start at the begining of the file...

Snort should start looking at offset 5, but after the UDP header since it's 
a UDP rule.

The first 5 bytes of content (ignored) should be 02 01 00 04 07
then 7 bytes of community
then A0 3E  (15 bytes).

There's another 04 00, but it's at offset 17/18 relative to the end of the 
UDP header.

Unless there's some bug that allows snort to mis-parse the content rules 
and run them relative to the start of packet, instead of start of layer 
content.






-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl