Suricata

SNMP is a common network management protocol that firewalls frequently need to control. In Suricata 8.0.4, SNMP app-layer hook states are not registered for firewall mode. Attempting to use any snmp:* hook in a firewall rule fails with the error: "protocol snmp does not support hook".

Without SNMP hooks, SNMP traffic on UDP port 161/162 can only be controlled at the packet layer. While packet-layer rules can accept SNMP packets, the app-layer parser still engages and the flow may be subject to default_app_policy behavior. Registering SNMP hooks would allow the firewall engine to make explicit accept/drop decisions at the application layer.

Based on the SNMP protocol structure, the following potential states are recommended:

• GET request sent
• GETNEXT request sent
• SET request sent
• GETBULK request sent
• Response received
• Trap received (v1)
• InformRequest sent
• InformRequest acknowledged
• SNMPv3 authentication/encryption negotiation
• Report received

At minimum, a request/response hook pair would enable basic firewall control. A trap hook would allow policy enforcement on unsolicited notifications (port 162).