[Snort-sigs] SNMP rules part 2

Jon Hart jhart at ...289...
Wed Feb 13 05:14:09 EST 2002


In response to http://www.cert.org/advisories/CA-2002-03.html, and in
addition to the rules alread posted by Chris Green, here are a few more
that I'm using.  These should cover some of the less common snmp
implementations that CERT mentioned.

<bad paste>
# we use SNMP to monitor some things, so NO_SNMP 
# is equal to all the machines that shouldn't be doing SNMP 
alert tcp $HOME_NET 199 -> $NO_SNMP any (msg: "OUTBOUND SNMP/tcp mux Response"; reference:url,www.cert.org/advisories/CA-2002-03.html;)
alert udp $HOME_NET 199 -> $NO_SNMP any (msg: "OUTBOUND SNMP/udp mux Response"; reference:url,www.cert.org/advisories/CA-2002-03.html;)

alert tcp $NO_SNMP any -> $HOME_NET 199 (msg: "INBOUND SNMP/tcp mux Request"; reference:url,www.cert.org/advisories/CA-2002-03.html;)
alert udp $NO_SNMP any -> $HOME_NET 199 (msg: "INBOUND SNMP/udp mux Request"; reference:url,www.cert.org/advisories/CA-2002-03.html;)

alert tcp $HOME_NET 391 -> $NO_SNMP any (msg: "OUTBOUND SynOptics SNMP/tcp  Relay Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)
alert udp $HOME_NET 391 -> $NO_SNMP any (msg: "OUTBOUND SynOptics SNMP/udp Relay Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)

alert tcp $NO_SNMP any -> $HOME_NET 391 (msg: "INBOUND SynOptics SNMP/tcp Relay Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)
alert udp $NO_SNMP any -> $HOME_NET 391 (msg: "INBOUND SynOptics SNMP/udp Relay Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)

alert tcp $HOME_NET 1993 -> $NO_SNMP any (msg: "OUTBOUND Cisco SNMP/tcp Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)
alert udp $HOME_NET 1993 -> $NO_SNMP any (msg: "OUTBOUND Cisco SNMP/udp Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)

alert tcp $NO_SNMP any -> $HOME_NET 1993 (msg: "INBOUND Cisco SNMP/tcp Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)
alert udp $NO_SNMP any -> $HOME_NET 1993 (msg: "INBOUND Cisco SNMP/udp Traffic"; reference:url,www.cert.org/advisories/CA-2002-03.html;)

</bad paste>

Salt, format to taste.  

I believe some of these rules will conflict with some of the DOS rules,
so you may need to do some rule checking.

-jon




More information about the Snort-sigs mailing list