[Snort-users] BO in snmpXdmid (Solaris)

Borja Marcos borjamar at ...778...
Tue Apr 3 03:11:29 EDT 2001


jh wrote:
> 
> holger.bumke at ...1216... wrote:
> >
> > As I'm not deep enough in the snmp-stuff, I 'd like to know if anyone in
> > this group has already made a rule for snort or has some input on this
> > thing, so that we can develop the rule together.
> 
> We've recently seen the nasty side of this exploit where I work. Our IDS
> has captured bits of what is sent which could likely be used as a
> signature:

	I have seen the attack, and the probes for the RPC service
100249 (snmpXdmid) to the portmapper were caught by us as a
"rpc portmap statd" in rpc.rules. 

	This seems to match most of the requests to the portmapper.
However, if you have kept the tcpdump traces (or you keep a database),
you can search for packets sent to the portmapper
containing the data |018799| (in fact, the service number for
snmpXdmid).

	Search your snort logs; you might have some source addresses
for the attack.


	Borja.




More information about the Snort-users mailing list