[Snort-sigs] SNNMP signatures?
Sandro.Poppi at ...474...
Fri May 24 06:31:01 EDT 2002
does anyone have snmp signatures to detect get/get-next/set requests? I
tested the following after analyzing set requests but it has a high fals
positive rate since I depend on a single character in the payload:
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"LOCAL SNMP SET
detected!"; content:"|a3|"; classtype:misc-attack; offset:3; rev:1;)
The offset is kind of arbitrary since the pdu type is put after the
community string which is of variable length.
More information about the Snort-sigs