mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
96 lines
2.0 KiB
ReStructuredText
96 lines
2.0 KiB
ReStructuredText
SNMP keywords
|
|
=============
|
|
|
|
snmp.version
|
|
------------
|
|
|
|
SNMP protocol version (integer). Expected values are 1, 2 (for version 2c) or 3.
|
|
|
|
Syntax::
|
|
|
|
snmp.version:[op]<number>
|
|
|
|
The version can be matched exactly, or compared using the _op_ setting::
|
|
|
|
snmp.version:3 # exactly 3
|
|
snmp.version:<3 # smaller than 3
|
|
snmp.version:>=2 # greater or equal than 2
|
|
|
|
Signature example::
|
|
|
|
alert snmp any any -> any any (msg:"old SNMP version (<3)"; snmp.version:<3; sid:1; rev:1;)
|
|
|
|
snmp.community
|
|
--------------
|
|
|
|
SNMP community strings are like passwords for SNMP messages in version 1 and 2c.
|
|
In version 3, the community string is likely to be encrypted. This keyword will not
|
|
match if the value is not accessible.
|
|
|
|
The default value for the read-only community string is often "public", and
|
|
"private" for the read-write community string.
|
|
|
|
Comparison is case-sensitive.
|
|
|
|
Syntax::
|
|
|
|
snmp.community; content:"private";
|
|
|
|
Signature example::
|
|
|
|
alert snmp any any -> any any (msg:"SNMP community private"; snmp.community; content:"private"; sid:2; rev:1;)
|
|
|
|
``snmp.community`` is a 'sticky buffer'.
|
|
|
|
``snmp.community`` can be used as ``fast_pattern``.
|
|
|
|
snmp.usm
|
|
--------
|
|
|
|
SNMP User-based Security Model (USM) is used in version 3.
|
|
It corresponds to the user name.
|
|
|
|
Comparison is case-sensitive.
|
|
|
|
Syntax::
|
|
|
|
snmp.usm; content:"admin";
|
|
|
|
Signature example::
|
|
|
|
alert snmp any any -> any any (msg:"SNMP usm admin"; snmp.usm; content:"admin"; sid:2; rev:1;)
|
|
|
|
``snmp.usm`` is a 'sticky buffer'.
|
|
|
|
``snmp.usm`` can be used as ``fast_pattern``.
|
|
|
|
snmp.pdu_type
|
|
-------------
|
|
|
|
SNMP PDU type (integer).
|
|
|
|
Common values are:
|
|
|
|
- 0: GetRequest
|
|
- 1: GetNextRequest
|
|
- 2: Response
|
|
- 3: SetRequest
|
|
- 4: TrapV1 (obsolete, was the old Trap-PDU in SNMPv1)
|
|
- 5: GetBulkRequest
|
|
- 6: InformRequest
|
|
- 7: TrapV2
|
|
- 8: Report
|
|
|
|
This keyword will not match if the value is not accessible within (for ex, an encrypted
|
|
SNMP v3 message).
|
|
|
|
|
|
Syntax::
|
|
|
|
snmp.pdu_type:<number>
|
|
|
|
Signature example::
|
|
|
|
alert snmp any any -> any any (msg:"SNMP response"; snmp.pdu_type:2; sid:3; rev:1;)
|
|
|