8.27. SNMP keywords
8.27.1. snmp.version
SNMP protocol version (integer). Expected values are 1, 2 (for version 2c) or 3.
snmp.version uses an, :ref:` unsigned 32-bits integer <rules-integer-keywords>`.
Syntax:
snmp.version:[op]<number>
The version can be matched exactly, or compared using the _op_ setting:
snmp.version:3 # exactly 3
snmp.version:<3 # smaller than 3
snmp.version:>=2 # greater or equal than 2
Signature example:
alert snmp any any -> any any (msg:"old SNMP version (<3)"; snmp.version:<3; sid:1; rev:1;)
8.27.2. snmp.community
SNMP community strings are like passwords for SNMP messages in version 1 and 2c. In version 3, the community string is likely to be encrypted. This keyword will not match if the value is not accessible.
The default value for the read-only community string is often "public", and "private" for the read-write community string.
Comparison is case-sensitive.
Syntax:
snmp.community; content:"private";
Signature example:
alert snmp any any -> any any (msg:"SNMP community private"; snmp.community; content:"private"; sid:2; rev:1;)
snmp.community
is a 'sticky buffer'.
snmp.community
can be used as fast_pattern
.
8.27.3. snmp.usm
SNMP User-based Security Model (USM) is used in version 3. It corresponds to the user name.
Comparison is case-sensitive.
Syntax:
snmp.usm; content:"admin";
Signature example:
alert snmp any any -> any any (msg:"SNMP usm admin"; snmp.usm; content:"admin"; sid:2; rev:1;)
snmp.usm
is a 'sticky buffer'.
snmp.usm
can be used as fast_pattern
.
8.27.4. snmp.pdu_type
SNMP PDU type (integer).
snmp.pdu_type uses an, :ref:` unsigned 32-bits integer <rules-integer-keywords>`.
Common values are:
0: GetRequest
1: GetNextRequest
2: Response
3: SetRequest
4: TrapV1 (obsolete, was the old Trap-PDU in SNMPv1)
5: GetBulkRequest
6: InformRequest
7: TrapV2
8: Report
This keyword will not match if the value is not accessible within (for ex, an encrypted SNMP v3 message).
Syntax:
snmp.pdu_type:<number>
Signature example:
alert snmp any any -> any any (msg:"SNMP response"; snmp.pdu_type:2; sid:3; rev:1;)