Hi All.
I´m very new at Suricata, sorry if i made some mistakes. And English isn´t my language.
Thne goal to put a Surcita server on mi LAN and check who are checking for snmp open machines on the network. Because or snmp activated UPS, are sending us menssages that someone one the LAN are try to ask for snmp data.
Server install Already Done.
But i need some help to create a rule for SNMP attacking the suricata server.
Thanks in advance.
Regards.
I only need the Alert with the source ip data…
regards
I create a rule file with this content
#TESTING MY OWN RULES
alert snmp any any -> any any (msg:"old SNMP version (<3)"; snmp.version:<3; sid:1; rev:1;)
alert snmp any any -> any any (msg:"SNMP community private"; snmp.community; content:"private"; sid:2; rev:1;)
alert snmp any any -> any any (msg:"SNMP community public"; snmp.community; content:"public"; sid:2; rev:1;)
Access remotely with snmp to the server and not get any alert on fast.log
Regards
What version are you running?
How does your suricata.yaml look like?
How do you start suricata?