Re: SNMP Rule to detect current threat?

["Andrew R. Baker" <andrewb () snort org>]

Chip Kelly wrote:
> Has someone written one to share, or is there one located somewhere? -chip

A new rule was commited to the rules in CVS yesterday morning.  This
rule is based on the community string buffer overflow attack against
ucd-snmp.  I *think* it looks like this (I sent the details to cazz and
let him write the rule):

alert udp $EXTERNAL_NET any -> $INTERNAL_NET 161:162 (msg: "SNMP
Community String Buffer Overflow Attack"; content: | 02 01 00 04 82 01
00 |; offset: 4;)

however, using "content: | 04 82 01 00 |; offset: 7; depth: 5;" may
prevent some evasion techniques (but i have not validated whether those
evasion techniques will still allow the exploit to function).

Please remember that this is only based on one verified vulnerability in
the ucd-snmp package, other vulnerabilities may also exist that would
require different signatures to detect.  

-A

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users