Actions
Feature #8691
open
SD
OD
detect: SNMP Varbind Keywords
Feature #8691:
detect: SNMP Varbind Keywords
Description
In recent exploitation of CVE-2025-20352, it would have been ideal to alert on shell metachars in a reconstructed SNMP value across a session, but since the commands were split across multiple SNMP packets, each carrying small payloads this made the attempt to detection near impossible without major performance implications.
SNMP can carry multiple varbinds in a single request. Each varbind appears as a triplet:- snmp.oid - (sticky buffer) keyword to match exactly or a prefix (subtree) OID
- snmp.data_type - (e.g int32 - "2", octet string - "Cisco IOS Software, Catalyst 4500", counter32/64 - "41239842", time ticks - "1452300", ip address - "192.168.1.50", null - "0x0500")
- snmp.value - (sticky buffer) decoded [full] value across a session
LS Updated by Lukas Sismis 1 day ago
- Subject changed from SNMP Varbind Keywords to detect: SNMP Varbind Keywords
- Status changed from New to Triaged
- Assignee set to OISF Dev
Could you supply a PCAP for this by any chance?
Actions