[Snort-sigs] Ignoring Win32 SNMP printer checks

nnposter at ...592... nnposter at ...592...
Tue May 18 08:34:02 EDT 2004


For those people who like to keep track of simple SNMP requests (sid 1411)
but are inundated with Win2K and XP hosts checking network printer status:

pass udp $HOME_NET any -> $HOME_NET 161 
(msg:"SNMP Win32 printer status check"; byte_test:1,<,0x4f,1; 
content:"|02 01 00 04 06|public|a0|"; offset:2; depth:12; 
byte_jump:1,2,relative; 
content:"|02 01 00 02 01 00 30 33 30 0f 06 0b 2b 06 01 02 01 19 03 02 01 05 
01 05 00 30 0f 06 0b 2b 06 01 02 01 19 03 05 01 01 01 05 00 30 0f 06 0b 2b 06 
01 02 01 19 03 05 01 02 01 05 00|"; distance:0; within:59; 
classtype:not-suspicious; sid:put-your-own-here; rev:1;)


For those who want to know what's inside this rule:

SNMP V1 PDU shorter than 0x4f, community string "public", no errors, and OIDs:
iso.3.6.1.2.1.25.3.2.1.5.1 (HOST-RESOURCES-MIB::hrDeviceStatus.1)
iso.3.6.1.2.1.25.3.5.1.1.1 (HOST-RESOURCES-MIB::hrPrinterStatus.1)
iso.3.6.1.2.1.25.3.5.1.2.1 (HOST-RESOURCES-MIB::hrPrinterDetectedErrorState.1)




More information about the Snort-sigs mailing list