[Snort-sigs] sid 1411
Owen_Crow at ...449...
Tue Mar 19 13:07:24 EST 2002
# This is my first DB entry. Please comment!
# My sensor(s) are mostly internal at this point so you may notice a
# bias towards intranet as opposed to Internet/DMZ traffic.
# I tried to queue this one up, but it said it was already being worked
# on. Sorry if I'm stepping on someone else's work. Could we add a
# date to the Signature Request Queue so we know how long it's been
# Owen Crow
# Systems Programmer (Unix)
# BMC Software, Inc.
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access
udp"; content:"public"; reference:cve,can-2002-0012; reference:cve,can-
2002-0013; classtype:attempted-recon; sid:1411; rev:1;)
Someone attempted to retrieve information via SNMP using a well-known
Potentially valuable reconnaissance information may have passed from the
target to the attacker. This is just the request, so it is unknown if
the target system replied based on this rule.
If a valid attack, the system in $EXTERNAL_NET is retrieving information
potentially sensitive information from the SNMP service on the system in
$HOME_NET. Examine the packet to determine what information was
requested and if the target system has SNMP enabled and is vulnerable to
any SNMP weaknesses.
An attacker can retrieve information from network devices or hosts
regarding the structure of your network. Exposed network devices such
as firewalls, routers and managed hubs/switches have detailed
information about your network which would aid an attacker in the
reconnaissance phase of an attack.
Ease of Attack:
There are tools to automate the scanning for vulnerable systems,
retrieval of information, and analysis of the information with little or
Many network management packages routinely scan their networks for SNMP
enabled devices. If the source is not really external ($EXTERNAL_NET =
any), this could be a false positive since it has detected benign
UDP packets do not require a full connection or a correct source. This
could be part of a DOS attack or a false positive to confuse a NIDS.
This is not strictly a false-positive, but a different type of attack
than was intended by the rule.
There are other well-known community strings used by default on SNMP-
enabled devices that this rule will not detect.
Disable SNMP access into your intranet via your firewall. Consider
using egress filtering to disable outbound SNMP attacks.
Use a scanning tool to ensure that none of your intranet devices are
using well-known SNMP community strings.
Disable SNMP on devices that do not require it.
Disable scans from network management devices or software which might
trigger this rule.
Owen Crow <owen_crow_NO_SPAM at ...449...>
-- Additional References:
More information about the Snort-sigs