RealSecure IDS signatures for SNMP vulnerabilities

From: robert_david_graham (robert_david_graham@yahoo.com)
Date: 02/16/02


From: robert_david_graham <robert_david_graham@yahoo.com>
To: "'Tina Bird'" <tbird@precision-guesswork.com>, focus-ids@securityfocus.com
Date: Fri, 15 Feb 2002 17:33:41 -0800


> From: Tina Bird [mailto:tbird@precision-guesswork.com]
> According to the ISS Web site, they will be releasing
> signatures that are specific to the PROTOS test suite
> shortly.

The newly released RealSecure XPU contains the following signatures. As
you'll remember in my previous e-mail, the generic BlackICE "SNMP Corrupt"
signature only triggers on some types of SNMP corruption because many
implementations of SNMP accidentally send out corrupt SNMP messages. The new
RealSecure XPU helps resolve this by breaking out each of the different
types of corruption into individual signatures, allowing customers to "tune"
out non-hostile corrupted packets generated by their devices. Remember that
BlackICE and RealSecure both count "signatures" differently than most other
products; we tend to group multiple related "checks" under a single event
type; these new signatures break out each check under a separate "signature"
for tuning.

SecChkID ProductCheckName
8147 SNMP_Bad_BulkRqst_Id
8149 SNMP_Bad_BulkRqst_MaxRepeats
8148 SNMP_Bad_BulkRqst_NonRepeaters
8164 SNMP_Bad_Community_String
8152 SNMP_Bad_ErrorIndex
8151 SNMP_Bad_ErrorStatus
8144 SNMP_Bad_Generic_Trap
8153 SNMP_Bad_Header
8155 SNMP_Bad_OID
8156 SNMP_Bad_OID_Type
8150 SNMP_Bad_RequestId
8145 SNMP_Bad_Specific_Trap
8143 SNMP_Bad_Trap_AgentAddr
8142 SNMP_Bad_Trap_OID
8146 SNMP_Bad_Trap_Timestamp
8154 SNMP_Bad_Variable_Type
8168 SNMP_CommunityFormatString
8158 SNMP_Format_String
8133 SNMP_Header_Underflow
8140 SNMP_Illegal_Octal_Value
8139 SNMP_Illegal_String_Length
8137 SNMP_Illegal_SubId
8128 SNMP_Int_OverFlow
8127 SNMP_Int_Underflow
8167 SNMP_Long_Community_String
8135 SNMP_Long_Field_Length
8138 SNMP_NonZeroLength_NullType
8165 SNMP_Null_In_String
8136 SNMP_OID_Underflow
8141 SNMP_PDU_Decode_Error
8131 SNMP_String_Underflow
8130 SNMP_UInt_Overflow
8129 SNMP_UInt_Underflow
8134 SNMP_Zero_Length_Field
8132 SNMP_Extension_Octet
8169 SNMP_Long_OID
8157 SNMP_SMI_Counter64_Found
8163 SNMP_Long_String
8166 SNMP_TooManyVariables

Some of these will trigger in normal SNMP traffic (e.g. SNMP_Long_String
will likely trigger if somebody is using RMON for packet capture, which may
be legitimate, SNMP_Null_In_String will trigger on implementations that
incorrect NUL-terminate strings). However, if you put this on a DMZ that
doesn't use SNMP, then you'll likely find a "0-day" exploit. Either way, I
would like to see events from customers -- either to write anti-signatures
to suppress known non-hostile traffic as well as signatures to separately
identify popular exploits.

Besides this XPU, ISS RealSecure has non-intrusion signatures that attempt
to "audit" network traffic. A customer might want to apply a policy that
SNMP should not be used (a good policy at this point in time). The following
three RealSecure signatures have existed for some time:

SNMP_Activity
Triggers on any SNMP activity.

SNMP_Set
Triggers only when somebody is changing/reconfiguring an SNMP agent. Good if
you use SNMP for monitoring, but don't want to use it to configure devices.

SNMP_Community
You might have a policy against "clear-text" passwords ("community-strings"
are SNMP's equivalent of passwords).

These should not be thought of as "intrusion" signatures; they are disabled
in the default configuration of RealSecure.

<op-ed>
This is a *VERY* important issue. Imagine if FTP was assumed to be free of
exploits and somebody dumped a tool on the Internet that demonstrated all
the discovered vulnerabilities all at once. This is what we are seeing here
with SNMP. Forget about IDS for a moment (people aren't quite yet hacking
it) -- instead run and disable SNMP on your devices.
</op-ed>