Actions
Feature #8691
open
SD
OD
detect: SNMP Varbind Keywords
Feature #8691:
detect: SNMP Varbind Keywords
Description
In recent exploitation of CVE-2025-20352, it would have been ideal to alert on shell metachars in a reconstructed SNMP value across a session, but since the commands were split across multiple SNMP packets, each carrying small payloads this made the attempt to detection near impossible without major performance implications.
SNMP can carry multiple varbinds in a single request. Each varbind appears as a triplet:- snmp.oid - (sticky buffer) keyword to match exactly or a prefix (subtree) OID
- snmp.data_type - (e.g int32 - "2", octet string - "Cisco IOS Software, Catalyst 4500", counter32/64 - "41239842", time ticks - "1452300", ip address - "192.168.1.50", null - "0x0500")
- snmp.value - (sticky buffer) decoded [full] value across a session
Actions