https://live.paloaltonetworks.com/t5/automation-api-discussions/snmp-blocking-community-string-value-public-and-private/m-p/45445#M1043 <HTML><HEAD></HEAD><BODY><P>So at this moment, no solution.&nbsp; And yes you can ask for contexts to be exposed they can update it through the App-ID process so normally it will not take as long as a feature request.</P></BODY></HTML> Wed, 28 Jan 2015 22:46:26 GMT mharman 2015-01-28T22:46:26Z https://live.paloaltonetworks.com/t5/automation-api-discussions/snmp-blocking-community-string-value-public-and-private/m-p/45444#M1042 <HTML><HEAD></HEAD><BODY><P class="p1"><SPAN class="s1">I would like to ask for some assistance/validation on a signature issue I’m facing right now.</SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1">The Customer tried to create an App-ID to identify and block any snmp traffic that has the Community String value of ‘public’ or ‘private’, and block snmp probes with those string values (not traps). </SPAN></P><P class="p1"><SPAN class="s1">The App-ID didn’t work for obvious reasons (no context for snmp), and trying to create a vulnerability signature will lead me to the same problem, not to mention the 7 bytes limitation for ‘public’ that is one byte short, I tried some other community names to test but no dice, I believe that the missing context is responsible for this issue,&nbsp; and to use the udp-unkown context would be wrong because the traffic is known as (snmp-base).</SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1">We did find an Snort signature offering the exact same thing:</SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p3"><SPAN style="color: #008000;">alert udp $EXTERNAL_NET</SPAN></P><P class="p4"><SPAN style="color: #008000;"> any -&gt; $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;)</SPAN></P><P class="p4"><SPAN class="s2"><BR /></SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1">But due to our limitations I couldn’t replicate the signature, maybe because I’m missing something and that’s why I would like to reach out to all of you.</SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">Do we have a workaround for this? </SPAN></P><P class="p1"><SPAN class="s1">Can we have a specific context for snmp created or some kind of contentless regex adoption? </SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1">What solutions could be offered (if any) at this moment? </SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">I highly appreciate any assistance,</SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">Thanks,</SPAN></P><P class="p1"><SPAN class="s1"><BR /></SPAN></P><P class="p1"><SPAN class="s1">Claudio <BR /></SPAN></P></BODY></HTML> Thu, 15 Jan 2015 21:42:26 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/snmp-blocking-community-string-value-public-and-private/m-p/45444#M1042 clopesda 2015-01-15T21:42:26Z https://live.paloaltonetworks.com/t5/automation-api-discussions/snmp-blocking-community-string-value-public-and-private/m-p/45445#M1043 <HTML><HEAD></HEAD><BODY><P>So at this moment, no solution.&nbsp; And yes you can ask for contexts to be exposed they can update it through the App-ID process so normally it will not take as long as a feature request.</P></BODY></HTML> Wed, 28 Jan 2015 22:46:26 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/snmp-blocking-community-string-value-public-and-private/m-p/45445#M1043 mharman 2015-01-28T22:46:26Z