Snort mailing list archives
Re: SNMP Rule to detect current threat?
From: "Andrew R. Baker" <andrewb () snort org>
Date: Thu, 14 Feb 2002 13:31:16 -0800
Chip Kelly wrote:
Has someone written one to share, or is there one located somewhere? -chip
A new rule was commited to the rules in CVS yesterday morning. This rule is based on the community string buffer overflow attack against ucd-snmp. I *think* it looks like this (I sent the details to cazz and let him write the rule): alert udp $EXTERNAL_NET any -> $INTERNAL_NET 161:162 (msg: "SNMP Community String Buffer Overflow Attack"; content: | 02 01 00 04 82 01 00 |; offset: 4;) however, using "content: | 04 82 01 00 |; offset: 7; depth: 5;" may prevent some evasion techniques (but i have not validated whether those evasion techniques will still allow the exploit to function). Please remember that this is only based on one verified vulnerability in the ucd-snmp package, other vulnerabilities may also exist that would require different signatures to detect. -A _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNMP Rule to detect current threat? Chip Kelly (Feb 14)
- Re: SNMP Rule to detect current threat? Blake Frantz (Feb 14)
- Re: SNMP Rule to detect current threat? Andrew R. Baker (Feb 14)
- Re: SNMP Rule to detect current threat? Rich Adamson (Feb 14)
- Re: SNMP Rule to detect current threat? Andrew R. Baker (Feb 14)
- Re: SNMP Rule to detect current threat? Rich Adamson (Feb 14)