[Snort-devel] Snort SNMP Decode version 0.1

Andrew R. Baker andrewb at ...835...
Tue Apr 15 17:42:06 EDT 2003


Snort SNMP Decode version 0.1 is now available.  A patch for Snort 2.0.0 
is attached to this message.  SNMP Decode is intended to replace the 
(very broken) ASN.1 Validator that was available in Snort 1.9.X.  SNMP 
Decode will analyze packets sent to 161/UDP and 162/UDP.  SNMP Decode 
does not take any arguments. It is enabled by adding the following line 
to your Snort configuration file:

     preprocessor snmp_decode

This version has been tested with SNMP data genererated from the Protos 
test suite.  This version of SNMP Decode will detect the following events:

     * Empty SNMP packets
     * SNMP encoding spec violations
     * Invalid length encodings
     * Truncated SNMP packets
     * SNMP packets with extra data at the end
     * Invalid SNMP version specifications


To install the patch, use the following commands:

     cd snort-2.0.0
     zcat <path to patch>/spp_snmp_decode_0.1.patch.gz | patch -p1

After installing the patch, build and install Snort per the usual 
instructions.

Please contact me if you think you have found any bugs or false 
positives.  If you use this and like it please let me know (which will 
encourage further development).

Version 0.2 should be released in 1 to 2 months and will add several 
more features.

Enjoy,

Andrew R. Baker
<andrewb at ...835...>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_snmp_decode_0.1.patch.gz
Type: application/gzip
Size: 5124 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030415/3672f6fb/attachment.gz>


More information about the Snort-devel mailing list