SANS ISC: Curious SNMP Traffic Spike

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

It could be nothing.  It could be something.

The ISC HoneyPot has been showing some port 161 traffic.

12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .1.3.6.1.2.1.1.1.0

So I did some poking around, read some articles [1]   and found some simlarities, etc.  No real testing per se yet.  Then after yesterday's data was collected, the ISC port data showed a curious correlation.   So I am turning to our readers.  Can any of you offer any corroborating data or anecdotes.    The pic [3]   below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2]    Then a similar spike yesterday.   The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.

[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
​[3] https://isc.sans.edu/port.html?port=161
 

​Please leave a comment if you see anything that correlates in your travels.

-Kevin

--
ISC Handler on Duty