[Snort-sigs] sid 1411

Crow, Owen Owen_Crow at ...449...
Tue Mar 19 13:07:24 EST 2002

# This is my first DB entry.  Please comment! 

# My sensor(s) are mostly internal at this point so you may notice a 
# bias towards intranet as opposed to Internet/DMZ traffic. 

# I tried to queue this one up, but it said it was already being worked 
# on.  Sorry if I'm stepping on someone else's work.  Could we add a 
# date to the Signature Request Queue so we know how long it's been 
# queued?

# Owen Crow
# Systems Programmer (Unix)
# BMC Software, Inc.


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access 
udp"; content:"public"; reference:cve,can-2002-0012; reference:cve,can-
2002-0013; classtype:attempted-recon; sid:1411; rev:1;) 




Someone attempted to retrieve information via SNMP using a well-known 
default password.


Potentially valuable reconnaissance information may have passed from the 
target to the attacker.  This is just the request, so it is unknown if 
the target system replied based on this rule.

Detailed Information: 

If a valid attack, the system in $EXTERNAL_NET is retrieving information 
potentially sensitive information from the SNMP service on the system in 
$HOME_NET.  Examine the packet to determine what information was 
requested and if the target system has SNMP enabled and is vulnerable to 
any SNMP weaknesses.

Attack Scenarios: 

An attacker can retrieve information from network devices or hosts 
regarding the structure of your network.  Exposed network devices such 
as firewalls, routers and managed hubs/switches have detailed 
information about your network which would aid an attacker in the 
reconnaissance phase of an attack.

Ease of Attack: 

There are tools to automate the scanning for vulnerable systems, 
retrieval of information, and analysis of the information with little or 
no expertise.

False Positives: 

Many network management packages routinely scan their networks for SNMP 
enabled devices.  If the source is not really external ($EXTERNAL_NET = 
any), this could be a false positive since it has detected benign 
intranet traffic.  

UDP packets do not require a full connection or a correct source.  This 
could be part of a DOS attack or a false positive to confuse a NIDS.  
This is not strictly a false-positive, but a different type of attack 
than was intended by the rule.

False Negatives: 

There are other well-known community strings used by default on SNMP-
enabled devices that this rule will not detect.

Corrective Action: 

Disable SNMP access into your intranet via your firewall.  Consider 
using egress filtering to disable outbound SNMP attacks. 

Use a scanning tool to ensure that none of your intranet devices are 
using well-known SNMP community strings. 

Disable SNMP on devices that do not require it. 

Disable scans from network management devices or software which might 
trigger this rule.


Owen Crow <owen_crow_NO_SPAM at ...449...>

-- Additional References:

More information about the Snort-sigs mailing list