Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-09-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Friday, September 9th 2016 https://isc.sans.edu/podcastdetail.html?id=5159

Curious SNMP Traffic Spike

Published: 2016-09-08
Last Updated: 2016-09-08 18:40:02 UTC
by Kevin Shortt (Version: 1)
7 comment(s)

It could be nothing.  It could be something.

The ISC HoneyPot has been showing some port 161 traffic.

12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .1.3.6.1.2.1.1.1.0

12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .1.3.6.1.2.1.1.1.0


So I did some poking around, read some articles [1]   and found some simlarities, etc.  No real testing per se yet.  Then after yesterday's data was collected, the ISC port data showed a curious correlation.   So I am turning to our readers.  Can any of you offer any corroborating data or anecdotes.    The pic [3]   below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2]    Then a similar spike yesterday.   The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.
















[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
​[3] https://isc.sans.edu/port.html?port=161
 

​Please leave a comment if you see anything that correlates in your travels.

-Kevin

--
ISC Handler on Duty

Keywords: SNMP
7 comment(s)
ISC Stormcast For Thursday, September 8th 2016 https://isc.sans.edu/podcastdetail.html?id=5157
Diary Archives