[Snort-sigs] SNNMP signatures?

Poppi, Sandro Sandro.Poppi at ...474...
Fri May 24 06:31:01 EDT 2002


Hi there,

does anyone have snmp signatures to detect get/get-next/set requests? I
tested the following after analyzing set requests but it has a high fals
positive rate since I depend on a single character in the payload:

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"LOCAL SNMP SET
detected!"; content:"|a3|"; classtype:misc-attack; offset:3; rev:1;)

The offset is kind of arbitrary since the pdu type is put after the
community string which is of variable length.

TIA,
Sandro




More information about the Snort-sigs mailing list