[Snort-sigs] RE: Ignoring Win32 SNMP printer checks

Shawn Cannon cannon1941 at ...1143...
Wed May 19 05:31:02 EDT 2004


Referencing the message below, does this rule only ignore public SNMP access to printers but still alert on other public SNMP requests?  I want to make sure that I only ignore the printer SNMP requests.  Thanks....

Shawn

  Message: 2
  To: snort-sigs at lists.sourceforge.net
  From: nnposter at ...592...
  Date: Tue, 18 May 2004 10:38:43 -0600
  Subject: [Snort-sigs] Ignoring Win32 SNMP printer checks


  For those people who like to keep track of simple SNMP requests (sid 1411)
  but are inundated with Win2K and XP hosts checking network printer status:

  pass udp $HOME_NET any -> $HOME_NET 161 
  (msg:"SNMP Win32 printer status check"; byte_test:1,<,0x4f,1; 
  content:"|02 01 00 04 06|public|a0|"; offset:2; depth:12; 
  byte_jump:1,2,relative; 
  content:"|02 01 00 02 01 00 30 33 30 0f 06 0b 2b 06 01 02 01 19 03 02 01 05 
  01 05 00 30 0f 06 0b 2b 06 01 02 01 19 03 05 01 01 01 05 00 30 0f 06 0b 2b 06 
  01 02 01 19 03 05 01 02 01 05 00|"; distance:0; within:59; 
  classtype:not-suspicious; sid:put-your-own-here; rev:1;)


  For those who want to know what's inside this rule:

  SNMP V1 PDU shorter than 0x4f, community string "public", no errors, and OIDs:
  iso.3.6.1.2.1.25.3.2.1.5.1 (HOST-RESOURCES-MIB::hrDeviceStatus.1)
  iso.3.6.1.2.1.25.3.5.1.1.1 (HOST-RESOURCES-MIB::hrPrinterStatus.1)
  iso.3.6.1.2.1.25.3.5.1.2.1 (HOST-RESOURCES-MIB::hrPrinterDetectedErrorState
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040519/a51d6c39/attachment.html>


More information about the Snort-sigs mailing list