Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Looks like search method using ac-sparsebands or acs has problem with UDP type attack detection

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Looks like search method using ac-sparsebands or acs has problem with UDP type attack detection


Posted by Weber on July 11, 2005 04:04:15

Hi All,

I'm trying to play around with several search-methods. I found that if I use ac-sparsebands and acs, the signature 1411 can't be trigger by the corresponding attack.

Here is the signature 1411:
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;)


I injected a UDP packet with destination port 161 and embedded "public" in the payload, I do not see the alert coming out from Snort. If I choose other search-method, it works fine.

I doubt that there's some bugs in acs/ac-sparsebands search-method. Does anyone know what's going on here? Thanks.

Weber

Posted by singo on September 02, 2006 15:41:20

Hi,
I have the same problems only I think the problem is much more severe than just one signature. We have used snort 2.6.0 with default search and sucessfully detected intrusions, however it used all of the spare 800Mb ram and then started to use swap. We then reconfigured it to use search-method ac-sparsebands and search-method lowmem search-method ac-std but these could only detect a handfull of intrusions and not the important ones like sql slammer. We will be retiring 2.6 untill the memory/detection issue is resolved.

Bob

Posted by duh on September 05, 2006 05:54:09

Now that you say that I just noticed it too. It still catches SNMP udp access, but not 'public specifically. I dont know what other rules might be missed.
Try and file a bug report.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.