User guide

ManualsBrandsIBM Manualscomputers & electronicsProventia G, Mntc

101

102

103

104

105

106

107

108

109

110

User-Defined Event Contexts

103

Proventia Network IPS G and GX Appliance User Guide

SNMP_Community

context

Use the SNMP_Community context to monitor the use and possible abuse of SMNP

community strings.

● Monitors

The SNMP_Community context monitors any packet containing an SNMP

community string. An SNMP community string is a clear text password in an SNMP

message. This password authenticates each message. If the password is not a valid

community name, then the message is rejected.

If an unauthorized person gains knowledge of your community strings, that person

could use that information to retrieve valuable configuration data from your

equipment or even to reconfigure your equipment.

Important: ISS strongly recommends that you use highly unique community strings

and that you reconfigure them periodically.

● Examples

Detecting people trying to use old strings:

If you change the SNMP community

strings, create a signature using this context to have the appliance search for people

trying to use the old strings.

Detecting the use of default strings: The X-Force database contains information

about several vulnerabilities involving default community strings on common

equipment. Attackers can attempt to access to your equipment by using these default

passwords. To have the appliance detect this activity, create signatures using this

context to monitor for the default passwords relevant to the equipment at your site.

These signatures can detect attackers attempting to probe for these common

vulnerabilities.

Reference: For more information about default passwords, look up SNMP in the X-

Force database at

http://xforce.iss.net

● Using this signature with Internet Scanner

If you scan your network using Internet Scanner, a signature using this context to

check for SNMP community strings may detect many instances of this event in

response to a SNMP scan.

URL_Data context Use the URL_Data context to monitor various security issues or policy issues related to

HTTP GET requests. An HTTP GET request occurs when a client, such as a Web browser,

requests a file from a Web server. The HTTP GET request is the most common way to

retrieve files on a Web server.

● Monitors

The URL_Data context monitors the contents of a URL (minus the domain name or

address itself) for particular strings, when accessed through an HTTP GET request.

Note: This context does not monitor the domain name associated with an HTTP GET

request.

● Example

Use this context to have the appliance monitor for attacks involving vulnerable CGI

scripts. ISS Advisory #32, released on August 9, 1999, describes how to use this

context to search for an attempt to exploit a vulnerability in a Microsoft Internet

Information Server component.

Reference: For more information, see Vulnerabilities in Microsoft Remote Data

Service at

http://xforce.iss.net/alerts/advise32.php