Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 161 Oddities (aka SNMP: so what's going on?) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 161 Oddities (aka SNMP: so what's going on?)

On a very slow Sunday in January I noticed that port 161 (designated as SNMP) is still alive and kicking, however the port 161 DShield report trend saw downward movement two weeks ago, and now we are right back at it with the same intensity.  Previously it was discussed here that D-Link routers are at play, so I'd like to grab a few packets to confirm that we are still seeing the continuance of known attacks, or if we have something else driving the Port 161 numbers up so high.  If anybody has any questionable port 161 traffic they could capture and upload, I'd love to review and report on what we are seeing.

tony d0t carothers --gmail


150 Posts
ISC Handler
Jan 11th 2015
I have seen a HUGE increase in port 161 traffic hits on my IDS.

Jan 11 21:40:56 HORNET snort[996]: message repeated 8 times: [ [1:1417:9] SNMP request udp [Classification: Attempted Information Leak] [Priority: 2] {UDP} ->]

Sign Up for Free or Log In to start participating in the conversation!