Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Curious SNMP Traffic Spike - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Curious SNMP Traffic Spike

It could be nothing.  It could be something.

The ISC HoneyPot has been showing some port 161 traffic.

12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .1.3.6.1.2.1.1.1.0

12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .1.3.6.1.2.1.1.1.0


So I did some poking around, read some articles [1]   and found some simlarities, etc.  No real testing per se yet.  Then after yesterday's data was collected, the ISC port data showed a curious correlation.   So I am turning to our readers.  Can any of you offer any corroborating data or anecdotes.    The pic [3]   below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2]    Then a similar spike yesterday.   The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.
















[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
​[3] https://isc.sans.edu/port.html?port=161
 

​Please leave a comment if you see anything that correlates in your travels.

-Kevin

--
ISC Handler on Duty

Kevin Shortt

81 Posts
ISC Handler
I get tons of SNMP traffic, usually combined with telnet and ping/traceroute. It's been a couple years now, and as usual, my ISP doesn't care about spoofed traffic.
Anonymous

Posts
The request: 1.3.6.1.2.1.1.1.0 seems to be related to AirNovo Wireless Access Point
http://www.alvestrand.no/objectid/1.3.6.1.2.1.1.1.0.html
Anonymous

Posts
Nope, this is the default SNMP branch (sysDesc)
alvestrand.no/objectid/…
Xme

249 Posts Posts
ISC Handler
I would say this is a way of trying to guess what your device is to prepare for a specific attack.
Anonymous

Posts
I see a similar spike in SNMP requests in my logs on Sep 6-Sep 7. Went back to baseline levels on Sep 8. All IP's were already in my log for earlier SNMP probing though, so it seems they cranked up their activity for a short while.
asclepi

2 Posts Posts
Hi there,

what is the name of tool ?

Thanks
Anonymous

Posts
Related to the CISCO ASA vuln?
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!