blob: a5349c2e5056d377c6d30349fafe09388e4cb20e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
SNMP keywords
=============
snmp.version
------------
SNMP protocol version (integer). Expected values are 1, 2 (for version 2c) or 3.
Syntax::
snmp.version:[op]<number>
The version can be matched exactly, or compared using the _op_ setting::
snmp.version:3 # exactly 3
snmp.version:<3 # smaller than 3
snmp.version:>=2 # greater or equal than 2
Signature example::
alert snmp any any -> any any (msg:"old SNMP version (<3)"; snmp.version:<3; sid:1; rev:1;)
snmp.community
--------------
SNMP community strings are like passwords for SNMP messages in version 1 and 2c.
In version 3, the community string is likely to be encrypted. This keyword will not
match if the value is not accessible.
The default value for the read-only community string is often "public", and
"private" for the read-write community string.
Comparison is case-sensitive.
Syntax::
snmp.community; content:"private";
Signature example::
alert snmp any any -> any any (msg:"SNMP community private"; snmp.community; content:"private"; sid:2; rev:1;)
``snmp.community`` is a 'sticky buffer'.
``snmp.community`` can be used as ``fast_pattern``.
snmp.usm
--------
SNMP User-based Security Model (USM) is used in version 3.
It corresponds to the user name.
Comparison is case-sensitive.
Syntax::
snmp.usm; content:"admin";
Signature example::
alert snmp any any -> any any (msg:"SNMP usm admin"; snmp.usm; content:"admin"; sid:2; rev:1;)
``snmp.usm`` is a 'sticky buffer'.
``snmp.usm`` can be used as ``fast_pattern``.
snmp.pdu_type
-------------
SNMP PDU type (integer).
Common values are:
- 0: GetRequest
- 1: GetNextRequest
- 2: Response
- 3: SetRequest
- 4: TrapV1 (obsolete, was the old Trap-PDU in SNMPv1)
- 5: GetBulkRequest
- 6: InformRequest
- 7: TrapV2
- 8: Report
This keyword will not match if the value is not accessible within (for ex, an encrypted
SNMP v3 message).
Syntax::
snmp.pdu_type:<number>
Signature example::
alert snmp any any -> any any (msg:"SNMP response"; snmp.pdu_type:2; sid:3; rev:1;)
|
