[Snort-sigs] First cut SNMP rules

Chris Green cmg at ...26...
Tue Feb 12 19:14:04 EST 2002


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "SNMP/udp public access"; content: "public";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "SNMP/tcp public access"; content: "public";) 
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "SNMP/udp private access"; content: "private";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "SNMP/tcp private access"; content: "private";)
alert udp any any -> 255.255.255.255 161 (msg: "Broadcast UDP SNMP Request";)
alert udp any any -> 255.255.255.255 162 (msg: "Broadcast UDP SNMP Trap";)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "INBOUND SNMP/udp Request"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "INBOUND SNMP/tcp Request"; )
alert udp $HOME_NET 161 -> $EXTERNAL_NET any (msg: "OUTBOUND SNMP/udp Response"; )
alert tcp $HOME_NET 161 -> $EXTERNAL_NET any (msg: "OUTBOUND SNMP/tcp Response"; )
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg: "INBOUND SNMPTRAP/udp"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg: "INBOUND SNMPTRAP/tcp Request"; )
alert udp $HOME_NET any -> $EXTERNAL_NET 162 (msg: "OUTBOUND SNMPTRAP/udp"; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 162 (msg: "OUTBOUND SNMPTRAP/tcp Request"; )
alert tcp $HOME_NET 705 -> $EXTERNAL_NET any (msg: "OUTBOUND AgentX/tcp Response"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg: "INBOUND AgentX/tcp Request"; )

These aren't perfect but to do too much requires an snmpdecoder which
we don't have at the moment.  Perhaps some refinement/addiotions can
be done.   For the most part though, if you SNMP from hosts that you
don't know about, you have something to investigate.   
-- 
Chris Green <cmg at ...26...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-sigs mailing list