PROTOCOL-SNMP request udp
This alert is triggered when an external source sends an SNMP getbulk request to an internal Windows server on UDP port 161. This behavior may be associated with attempts to gather large amounts of SNMP data, potentially exploiting CVE-2006-5583 a known vulnerability in Windows SNMP services.
ID Number
1417
Signature
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:18;)
Severity
High
Recommendations/Investigative actions
Restrict SNMP access on UDP port 161 to trusted internal sources only
Verify that SNMP services on the target Windows server are up-to-date with the latest security patches