Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Curious SNMP Traffic Spike - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Curious SNMP Traffic Spike

It could be nothing.  It could be something.

The ISC HoneyPot has been showing some port 161 traffic.

12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .1.3.6.1.2.1.1.1.0


So I did some poking around, read some articles [1]   and found some simlarities, etc.  No real testing per se yet.  Then after yesterday's data was collected, the ISC port data showed a curious correlation.   So I am turning to our readers.  Can any of you offer any corroborating data or anecdotes.    The pic [3]   below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2]    Then a similar spike yesterday.   The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.
















[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
​[3] https://isc.sans.edu/port.html?port=161
 

​Please leave a comment if you see anything that correlates in your travels.

-Kevin

--
ISC Handler on Duty

 Kevin Shortt

81 Posts
ISC Handler
Reply Subscribe Sep 8th 2016
2 years ago
I get tons of SNMP traffic, usually combined with telnet and ping/traceroute. It's been a couple years now, and as usual, my ISP doesn't care about spoofed traffic.
 Anonymous
Reply Quote Sep 8th 2016
2 years ago
The request: 1.3.6.1.2.1.1.1.0 seems to be related to AirNovo Wireless Access Point
http://www.alvestrand.no/objectid/1.3.6.1.2.1.1.1.0.html
 Anonymous
Reply Quote Sep 9th 2016
2 years ago
Nope, this is the default SNMP branch (sysDesc)
alvestrand.no/objectid/…
 Xme

428 Posts
ISC Handler
Reply Quote Sep 9th 2016
2 years ago
I would say this is a way of trying to guess what your device is to prepare for a specific attack.
 Xme
1 Posts
Reply Quote Sep 9th 2016
2 years ago
I see a similar spike in SNMP requests in my logs on Sep 6-Sep 7. Went back to baseline levels on Sep 8. All IP's were already in my log for earlier SNMP probing though, so it seems they cranked up their activity for a short while.
 asclepi

2 Posts
Reply Quote Sep 10th 2016
2 years ago
Hi there,

what is the name of tool ?

Thanks
 Anonymous
Reply Quote Sep 10th 2016
2 years ago
Related to the CISCO ASA vuln?
 Anonymous
Reply Quote Sep 10th 2016
2 years ago

Sign Up for Free or Log In to start participating in the conversation!