[Snort-sigs] SNNMP signatures?

Paul_Asadoorian paul at ...606...
Sat May 25 09:21:03 EDT 2002


I have been pondering a signature for this as well, and short of making
snort aware of SNMP at the application layer (eg. Plugin) I haven't come
up with much.  I am currently working on the community string buffer
overflow and trying to develop signatures for it (I have non as of yet,
but will most certain share when I do).  I think that the only real way
to detect this is to measure the size of the community string and see if
its over 256 bytes.  This could be extremely useful in detecting many
buffer overflows, just measure the size of the parameter being passed
inside the packet, but again this gets into a lot of application layer
intelligence.  Any thoughts?

Thanks,

Paul

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Poppi,
Sandro
Sent: Friday, May 24, 2002 9:30 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] SNNMP signatures?


Hi there,

does anyone have snmp signatures to detect get/get-next/set requests? I
tested the following after analyzing set requests but it has a high fals
positive rate since I depend on a single character in the payload:

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"LOCAL SNMP SET
detected!"; content:"|a3|"; classtype:misc-attack; offset:3; rev:1;)

The offset is kind of arbitrary since the pdu type is put after the
community string which is of variable length.

TIA,
Sandro

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list