[Snort-users] SNMP Rule to detect current threat?

Rich Adamson radamson at ...2127...
Thu Feb 14 14:26:10 EST 2002


> A new rule was commited to the rules in CVS yesterday morning.  This
> rule is based on the community string buffer overflow attack against
> ucd-snmp.  I *think* it looks like this (I sent the details to cazz and
> let him write the rule):
> 
> alert udp $EXTERNAL_NET any -> $INTERNAL_NET 161:162 (msg: "SNMP
> Community String Buffer Overflow Attack"; content: | 02 01 00 04 82 01
> 00 |; offset: 4;)

I've not tried to validate the above rule, but I think you might not
want to "assume" external -> internal. Should really be any -> any.

If you analyze the documented vulnerability, the typical MS workstation
cannot be used via virus/trojan scripts to generate the activity. However,
someone could write an executable and distribute it via known mechanisms
in such a way that the vulnerability could be exploited from within an
internal network (as well as from the external network if a firewall is
not blocking 161 traffic).

Also, the destination port will be 161 (not 162) with a souce port of any
(cannot assume > 1024).

Rich Adamson
radamson at ...2127...






More information about the Snort-users mailing list