File: snmp-keywords.rst

package info (click to toggle)
suricata 1%3A8.0.1-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 240,704 kB
  • sloc: ansic: 357,736; python: 8,721; sh: 5,043; makefile: 2,411; perl: 570; php: 170
file content (99 lines) | stat: -rw-r--r-- 2,211 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
SNMP keywords
=============

snmp.version
------------

SNMP protocol version (integer). Expected values are 1, 2 (for version 2c) or 3.

snmp.version uses an, :ref:` unsigned 32-bits integer <rules-integer-keywords>`.

Syntax::

 snmp.version:[op]<number>

The version can be matched exactly, or compared using the _op_ setting::

 snmp.version:3    # exactly 3
 snmp.version:<3   # smaller than 3
 snmp.version:>=2  # greater or equal than 2

Signature example::

 alert snmp any any -> any any (msg:"old SNMP version (<3)"; snmp.version:<3; sid:1; rev:1;)

snmp.community
--------------

SNMP community strings are like passwords for SNMP messages in version 1 and 2c.
In version 3, the community string is likely to be encrypted. This keyword will not
match if the value is not accessible.

The default value for the read-only community string is often "public", and
"private" for the read-write community string.

Comparison is case-sensitive.

Syntax::

 snmp.community; content:"private";

Signature example::

 alert snmp any any -> any any (msg:"SNMP community private"; snmp.community; content:"private"; sid:2; rev:1;)

``snmp.community`` is a 'sticky buffer'.

``snmp.community`` can be used as ``fast_pattern``.

snmp.usm
--------

SNMP User-based Security Model (USM) is used in version 3.
It corresponds to the user name.

Comparison is case-sensitive.

Syntax::

 snmp.usm; content:"admin";

Signature example::

 alert snmp any any -> any any (msg:"SNMP usm admin"; snmp.usm; content:"admin"; sid:2; rev:1;)

``snmp.usm`` is a 'sticky buffer'.

``snmp.usm`` can be used as ``fast_pattern``.

snmp.pdu_type
-------------

SNMP PDU type (integer).

snmp.pdu_type uses an, :ref:` unsigned 32-bits integer <rules-integer-keywords>`.

Common values are:

 - 0: GetRequest
 - 1: GetNextRequest
 - 2: Response
 - 3: SetRequest
 - 4: TrapV1 (obsolete, was the old Trap-PDU in SNMPv1)
 - 5: GetBulkRequest
 - 6: InformRequest
 - 7: TrapV2
 - 8: Report

This keyword will not match if the value is not accessible within (for ex, an encrypted
SNMP v3 message).


Syntax::

 snmp.pdu_type:<number>

Signature example::

 alert snmp any any -> any any (msg:"SNMP response"; snmp.pdu_type:2; sid:3; rev:1;)