03-11-2013 01:10 PM - edited 03-10-2019 05:55 AM
Are there any known issues with the 4507/x signatures working with SNMPv3 traffic? I'm getting a lot of 4507/6 alarms related to a new server which is using SNMPv3 to talk to various devices. I haven't found anything documented, but I'm speculating that since the IDS is seeing encrypted traffic on UDP 161 it's just generating the alarm because it's not able to figure out what the traffic actually is.
03-11-2013 03:02 PM
03-11-2013 03:28 PM
Thanks, I had already checked that information but it doesn't seem to answer these questions.
- Would SNMPv3 traffic normally cause an "error in decoding the SNMP protocol" as indicated in the documentation?
- Do the 4507/x signatures understand & work with SNMPv3?
- Are there any known issues with the 4507/x signatures working with SNMPv3 traffic?
03-11-2013 04:20 PM
On 4507/6, if you look at the sig itself on a sensor, the sig states that it fires on invalid community length.
So that is where I would start.
Would SNMPv3 traffic normally cause an "error in decoding the SNMP protocol" as indicated in the documentation?
No, at least not for signature 4507/6.
Do the 4507/x signatures understand & work with SNMPv3?
Are there any known issues with the 4507/x signatures working with SNMPv3 traffic?
There is a bug [CSCef60726] saying that 4507/3 will incorrectly fire for SNMPv3 ttraffic.
The rest of them should work just fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide