Snort Analyser
First select your Wireshark trace:
Trace name: /log/snmp.zip
Snort Output
Click here for the Pcap file. The Snort output is:
alert.ids: [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.562375 172.31.19.54:15916 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43545 IpLen:20 DgmLen:68 Len: 40 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.565998 172.31.19.54:15917 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43546 IpLen:20 DgmLen:82 Len: 54 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.574587 172.31.19.54:15918 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43547 IpLen:20 DgmLen:70 Len: 42 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.578622 172.31.19.54:15919 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43548 IpLen:20 DgmLen:126 Len: 98 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.588037 172.31.19.54:15920 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43549 IpLen:20 DgmLen:72 Len: 44 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.591544 172.31.19.54:15921 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43550 IpLen:20 DgmLen:78 Len: 50 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.597655 172.31.19.54:15922 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43551 IpLen:20 DgmLen:68 Len: 40 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.601040 172.31.19.54:15923 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43552 IpLen:20 DgmLen:82 Len: 54 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.609643 172.31.19.54:15924 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43553 IpLen:20 DgmLen:70 Len: 42 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.613568 172.31.19.54:15925 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43554 IpLen:20 DgmLen:126 Len: 98 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.622877 172.31.19.54:15926 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43555 IpLen:20 DgmLen:72 Len: 44 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:38.626408 172.31.19.54:15927 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43556 IpLen:20 DgmLen:78 Len: 50 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.694092 172.31.19.54:15928 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43557 IpLen:20 DgmLen:68 Len: 40 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.698374 172.31.19.54:15929 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43558 IpLen:20 DgmLen:82 Len: 54 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.707142 172.31.19.54:15930 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43559 IpLen:20 DgmLen:70 Len: 42 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.710654 172.31.19.54:15931 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43560 IpLen:20 DgmLen:126 Len: 98 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.719879 172.31.19.54:15932 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43561 IpLen:20 DgmLen:72 Len: 44 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.723827 172.31.19.54:15933 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43562 IpLen:20 DgmLen:78 Len: 50 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.729305 172.31.19.54:15934 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43563 IpLen:20 DgmLen:68 Len: 40 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.732751 172.31.19.54:15935 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43564 IpLen:20 DgmLen:92 Len: 64 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.736156 172.31.19.54:15936 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43565 IpLen:20 DgmLen:164 Len: 136 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.739847 172.31.19.54:15937 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43566 IpLen:20 DgmLen:76 Len: 48 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.743360 172.31.19.54:15938 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43567 IpLen:20 DgmLen:190 Len: 162 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:45.747379 172.31.19.54:15939 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43568 IpLen:20 DgmLen:120 Len: 92 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:46.603293 172.31.19.54:15940 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43569 IpLen:20 DgmLen:96 Len: 68 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:34:46.607008 172.31.19.54:15941 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43570 IpLen:20 DgmLen:76 Len: 48 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:35:19.114001 172.31.19.54:15942 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43571 IpLen:20 DgmLen:68 Len: 40 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:35:27.614208 172.31.19.54:15945 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43581 IpLen:20 DgmLen:68 Len: 40 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:35:36.114419 172.31.19.54:15952 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43701 IpLen:20 DgmLen:68 Len: 40 [**] [1:9000000:0] SNMP Traffic [**] [Priority: 0] 09/08-19:35:36.117762 172.31.19.54:15953 -> 172.31.19.73:161 UDP TTL:128 TOS:0x0 ID:43702 IpLen:20 DgmLen:68 Len: 40 |
Rules file
alert udp any any -> any 161 (msg:"SNMP Traffic";sid:9000000;) alert udp any any -> any 162 (msg:"SNMP Trap";sid:9000001;)
Examples
You can use Snort as a stand-alone analyser using the "-r" option. The following are the traces that can be used in Snort:
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
- Bittorrent: here Test.