[Snort-users] SNMP Rule to detect current threat?

Andrew R. Baker andrewb at ...950...
Thu Feb 14 13:32:10 EST 2002


Chip Kelly wrote:
> 
> Has someone written one to share, or is there one located somewhere? -chip

A new rule was commited to the rules in CVS yesterday morning.  This
rule is based on the community string buffer overflow attack against
ucd-snmp.  I *think* it looks like this (I sent the details to cazz and
let him write the rule):

alert udp $EXTERNAL_NET any -> $INTERNAL_NET 161:162 (msg: "SNMP
Community String Buffer Overflow Attack"; content: | 02 01 00 04 82 01
00 |; offset: 4;)

however, using "content: | 04 82 01 00 |; offset: 7; depth: 5;" may
prevent some evasion techniques (but i have not validated whether those
evasion techniques will still allow the exploit to function).

Please remember that this is only based on one verified vulnerability in
the ucd-snmp package, other vulnerabilities may also exist that would
require different signatures to detect.  

-A




More information about the Snort-users mailing list