##alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET DELETED Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4;)

Added 2014-09-10 17:09:11 UTC


#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4;)

Added 2013-10-01 22:21:05 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:3;)

Added 2011-10-12 19:25:26 UTC

This triggers on a SNMP request of 1.3.6.1.2.1.1.1.0 (sysdescr) with "public" community, so is very prone to FP. For instance, triggers on snmp request to printers

-- StephaneChazelas - 28 Mar 2012


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; fast_pattern:only; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; sid:2008597; rev:3;)

Added 2011-09-14 22:38:53 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; fast_pattern:only; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Cisco_Torch; sid:2008597; rev:3;)

Added 2011-02-04 17:27:47 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Cisco_Torch; sid:2008597; rev:2;)

Added 2009-02-11 19:24:44 UTC

Seem to generate FPs from Cacti activity - pcap attached.

-- RickChisholm - 05 May 2009


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Cisco_Torch; sid:2008597; rev:2;)

Added 2009-02-11 19:24:44 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; sid:2008597; rev:1;)

Added 2008-09-29 14:24:35 UTC


Topic revision: r3 - 2012-03-28 - StephaneChazelas
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats