Re: SNMP Rule to detect current threat?

[Rich Adamson <radamson () routers com>]

> A new rule was commited to the rules in CVS yesterday morning.  This
> rule is based on the community string buffer overflow attack against
> ucd-snmp.  I *think* it looks like this (I sent the details to cazz and
> let him write the rule):
>
> alert udp $EXTERNAL_NET any -> $INTERNAL_NET 161:162 (msg: "SNMP
> Community String Buffer Overflow Attack"; content: | 02 01 00 04 82 01
> 00 |; offset: 4;)

I've not tried to validate the above rule, but I think you might not
want to "assume" external -> internal. Should really be any -> any.

If you analyze the documented vulnerability, the typical MS workstation
cannot be used via virus/trojan scripts to generate the activity. However,
someone could write an executable and distribute it via known mechanisms
in such a way that the vulnerability could be exploited from within an
internal network (as well as from the external network if a firewall is
not blocking 161 traffic).

Also, the destination port will be 161 (not 162) with a souce port of any
(cannot assume > 1024).

Rich Adamson
radamson () routers com



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users