[Snort-sigs] SNMP rules part 2

Jon Hart jhart at ...289...
Wed Feb 13 07:53:33 EST 2002


> We use Cricket to monitor our Network equipment and our Netapps.  There is
> a single machine that does this monitoring.  I set NO_SNMP to be
> ![<that_machine>/32] , so it'll match all machines that are not supposed to
> be doing SNMP stuff. 
> 
> -jon 

responding to myself...

Having NO_SNMP actually set to something (instead of "any") might get me
burned on some of the udp rules, but I'm willing to take that risk.  As
long as you do proper ingress filtering, this may only be a minor risk.
Since it may be possible to execute the "one shot, one kill" attack with a
spoofed udp packet, its really up to the sensor operator to determine what
NO_SNMP should be set to.  If you don't use SNMP for anything, then "any"
would be a good choice.  Then again, this all assumes you trust the
machines inside your network.

for what its worth,
-jon




More information about the Snort-sigs mailing list