OS-WINDOWS Microsoft Windows getbulk request attempt
This alert is triggered when an external source sends an SNMP getbulk request to an internal Windows server on UDP port 161. This behavior may be associated with attempts to gather network information, potentially as part of reconnaissance or exploiting CVE-2002-0013 and CVE-2002-0012, known vulnerabilities in Windows SNMP services.
ID Number
12198
Signature
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"OS-WINDOWS Microsoft Windows getbulk request attempt"; flow:to_server; content:"|30|"; depth:1; content:"|02 01 01 04|"; within:4; distance:1; byte_jump:1,0,relative; content:"|A5|"; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; content:!"|00|"; within:1; distance:1; content:"|02|"; within:1; distance:2; byte_jump:1,0,relative; byte_test:1,>,20,-1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service snmp; reference:cve,2006-5583; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-074; classtype:attempted-admin; sid:12198; rev:17;)
Severity
High
Recommendations/Investigative actions
Restrict SNMP access on UDP port 161 to trusted internal sources only
Verify that SNMP services on the target Windows server are up-to-date with the latest security patches