I would like to ask for some assistance/validation on a signature issue I’m facing right now.
The Customer tried to create an App-ID to identify and block any snmp traffic that has the Community String value of ‘public’ or ‘private’, and block snmp probes with those string values (not traps).
The App-ID didn’t work for obvious reasons (no context for snmp), and trying to create a vulnerability signature will lead me to the same problem, not to mention the 7 bytes limitation for ‘public’ that is one byte short, I tried some other community names to test but no dice, I believe that the missing context is responsible for this issue, and to use the udp-unkown context would be wrong because the traffic is known as (snmp-base).
We did find an Snort signature offering the exact same thing:
alert udp $EXTERNAL_NET
any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;)
But due to our limitations I couldn’t replicate the signature, maybe because I’m missing something and that’s why I would like to reach out to all of you.
Do we have a workaround for this?
Can we have a specific context for snmp created or some kind of contentless regex adoption?
What solutions could be offered (if any) at this moment?
I highly appreciate any assistance,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!