Curious SNMP Traffic Spike
It could be nothing. It could be something.
The ISC HoneyPot has been showing some port 161 traffic.
12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
So I did some poking around, read some articles [1] and found some simlarities, etc. No real testing per se yet. Then after yesterday's data was collected, the ISC port data showed a curious correlation. So I am turning to our readers. Can any of you offer any corroborating data or anecdotes. The pic [3] below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2] Then a similar spike yesterday. The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.
[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
[3] https://isc.sans.edu/port.html?port=161
Please leave a comment if you see anything that correlates in your travels.
-Kevin
--
ISC Handler on Duty
Comments