[Snort-users] SNMP Rule to detect current threat?
Andrew R. Baker
andrewb at ...950...
Thu Feb 14 13:32:10 EST 2002
Chip Kelly wrote:
> Has someone written one to share, or is there one located somewhere? -chip
A new rule was commited to the rules in CVS yesterday morning. This
rule is based on the community string buffer overflow attack against
ucd-snmp. I *think* it looks like this (I sent the details to cazz and
let him write the rule):
alert udp $EXTERNAL_NET any -> $INTERNAL_NET 161:162 (msg: "SNMP
Community String Buffer Overflow Attack"; content: | 02 01 00 04 82 01
00 |; offset: 4;)
however, using "content: | 04 82 01 00 |; offset: 7; depth: 5;" may
prevent some evasion techniques (but i have not validated whether those
evasion techniques will still allow the exploit to function).
Please remember that this is only based on one verified vulnerability in
the ucd-snmp package, other vulnerabilities may also exist that would
require different signatures to detect.
More information about the Snort-users