Snort mailing list archives
Re: SNMP Rule to detect current threat?
From: Rich Adamson <radamson () routers com>
Date: Thu, 14 Feb 2002 16:01:22 -0600
A new rule was commited to the rules in CVS yesterday morning. This rule is based on the community string buffer overflow attack against ucd-snmp. I *think* it looks like this (I sent the details to cazz and let him write the rule): alert udp $EXTERNAL_NET any -> $INTERNAL_NET 161:162 (msg: "SNMP Community String Buffer Overflow Attack"; content: | 02 01 00 04 82 01 00 |; offset: 4;)
I've not tried to validate the above rule, but I think you might not want to "assume" external -> internal. Should really be any -> any. If you analyze the documented vulnerability, the typical MS workstation cannot be used via virus/trojan scripts to generate the activity. However, someone could write an executable and distribute it via known mechanisms in such a way that the vulnerability could be exploited from within an internal network (as well as from the external network if a firewall is not blocking 161 traffic). Also, the destination port will be 161 (not 162) with a souce port of any (cannot assume > 1024). Rich Adamson radamson () routers com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNMP Rule to detect current threat? Chip Kelly (Feb 14)
- Re: SNMP Rule to detect current threat? Blake Frantz (Feb 14)
- Re: SNMP Rule to detect current threat? Andrew R. Baker (Feb 14)
- Re: SNMP Rule to detect current threat? Rich Adamson (Feb 14)
- Re: SNMP Rule to detect current threat? Andrew R. Baker (Feb 14)
- Re: SNMP Rule to detect current threat? Rich Adamson (Feb 14)