6.23. SNMP keywords¶
6.23.1. snmp.version¶
SNMP protocol version (integer). Expected values are 1, 2 (for version 2c) or 3.
Syntax:
snmp.version:[op]<number>
The version can be matched exactly, or compared using the _op_ setting:
snmp.version:3 # exactly 3
snmp.version:<3 # smaller than 3
snmp.version:>=2 # greater or equal than 2
Signature example:
alert snmp any any -> any any (msg:"old SNMP version (<3)"; snmp.version:<3; sid:1; rev:1;)
6.23.2. snmp.community¶
SNMP community strings are like passwords for SNMP messages in version 1 and 2c. In version 3, the community string is likely to be encrypted. This keyword will not match if the value is not accessible.
The default value for the read-only community string is often “public”, and “private” for the read-write community string.
Comparison is case-sensitive.
Syntax:
snmp.community; content:"private";
Signature example:
alert snmp any any -> any any (msg:"SNMP community private"; snmp.community; content:"private"; sid:2; rev:1;)
snmp.community is a ‘sticky buffer’.
snmp.community can be used as fast_pattern.
6.23.3. snmp.pdu_type¶
SNMP PDU type (integer).
Common values are:
- 0: GetRequest
- 1: GetNextRequest
- 2: Response
- 3: SetRequest
- 4: TrapV1 (obsolete, was the old Trap-PDU in SNMPv1)
- 5: GetBulkRequest
- 6: InformRequest
- 7: TrapV2
- 8: Report
This keyword will not match if the value is not accessible within (for ex, an encrypted SNMP v3 message).
Syntax:
snmp.pdu_type:<number>
Signature example:
alert snmp any any -> any any (msg:"SNMP response"; snmp.pdu_type:2; sid:3; rev:1;)