4507 signature with SNMPv3

mark.barrett · ‎03-11-2013

Are there any known issues with the 4507/x signatures working with SNMPv3 traffic? I'm getting a lot of 4507/6 alarms related to a new server which is using SNMPv3 to talk to various devices. I haven't found anything documented, but I'm speculating that since the IDS is seeing encrypted traffic on UDP 161 it's just generating the alarm because it's not able to figure out what the traffic actually is.

jocamare · ‎03-11-2013

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4507&signatureSubId=6&softwareVersion=5.1&releaseVersion=S17

mark.barrett · ‎03-11-2013

Thanks, I had already checked that information but it doesn't seem to answer these questions.

- Would SNMPv3 traffic normally cause an "error in decoding the SNMP protocol" as indicated in the documentation?

- Do the 4507/x signatures understand & work with SNMPv3?

- Are there any known issues with the 4507/x signatures working with SNMPv3 traffic?

jocamare · ‎03-11-2013

On 4507/6, if you look at the sig itself on a sensor, the sig states that it fires on invalid community length.

So that is where I would start.

Would SNMPv3 traffic normally cause an "error in decoding the SNMP protocol" as indicated in the documentation?

No, at least not for signature 4507/6.

Do the 4507/x signatures understand & work with SNMPv3?

Are there any known issues with the 4507/x signatures working with SNMPv3 traffic?

There is a bug [CSCef60726] saying that 4507/3 will incorrectly fire for SNMPv3 ttraffic.

The rest of them should work just fine.