Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Friday, September 9th 2016

Curious SNMP Traffic Spike

Published: 2016-09-08
Last Updated: 2016-09-08 18:40:02 UTC
by Kevin Shortt (Version: 1)
7 comment(s)

It could be nothing.  It could be something.

The ISC HoneyPot has been showing some port 161 traffic.

12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .

12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .

So I did some poking around, read some articles [1]   and found some simlarities, etc.  No real testing per se yet.  Then after yesterday's data was collected, the ISC port data showed a curious correlation.   So I am turning to our readers.  Can any of you offer any corroborating data or anecdotes.    The pic [3]   below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2]    Then a similar spike yesterday.   The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.


​Please leave a comment if you see anything that correlates in your travels.


ISC Handler on Duty

Keywords: SNMP
7 comment(s)
ISC Stormcast For Thursday, September 8th 2016
Diary Archives