Full Disclosure mailing list archives
Re: SNMP Broadcasts
From: Mohit Muthanna <mohit.muthanna () gmail com>
Date: Wed, 14 Jul 2004 13:30:03 -0400
Not much you can do to stop the portscans.
Like hell there isn't. F-I-R-E-W-A-L-L.
Agreed... they "block" the port scans... but they don't "stop" it (which was my point). The portscans will continue for as long as the trojan/scanner/scumoftheearth is running.
SNMP goes to ports 161 and 162, *only*.No... those are just the default ports for the stock agents. Sysedge (for example) uses 1691 for Get/Set requests.This is not, *technically* SNMP, as it is not using it's assigned ports. This is a variant, and interestingly, that port is assigned to
It is SNMP. Not a variant. It's just running on a different port. In any case, sometimes the different applications running on a server are SNMP enabled. And when you have the stock OS SNMP daemon listening for SNMP requests on udp161, the applications cannot use that port. They therefore resort to their own high port numbers. System Edge is an extensible SNMP agent similar in many ways to net-snmp. It provides more information than an OS's stock agent, but it's still SNMP and not a variant.
empire-empuma 1691/tcp empire-empuma empire-empuma 1691/udp empire-empuma Unless Sysedge is the decendant of "empire-empuma", it doesn't belong there either.
That is the case... Empire makes (made) sysedge: http://www.empire.com/products/systemedge/index.htm
Could this be some kind of SNMP DoS as I get several/second ?I'll tell you what it could (likely) be: - An unconfigured SNMP agent on the network (on a Linux or Windows box maybe).More specific: a misconfigured agent ont the LOCAL network segment.
agreed.
- Your service providers actual switch is misconfigured.Not at all likely.
I've worked with (and currently work for) different service providers in the Telco and IP space. The above is entirely likely. Even with the most sophisticated network management tools, large service providers still screw up bad. It's unfortunate.
I haven't heard of SNMP DoS's but hey... anythings possible.I have, and have seen them, but that's not relevent here, as this guy's entire post made obvious that SNMP was not involved.
okay.
I know I shouldn't be asking this, but... Do you know how to use Ethereal?Good Call. It'll answer most of your questions.Unfortunately, the odds of this kind of newbie being able to successfully utilize it are slim. Still, if he is going to ask for help with odd packets, he must be able to document them, and this is the standard way to do so.
agreed. -- Mohit Muthanna, CISSP [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SNMP Broadcasts BillyBob (Jul 13)
- Re: SNMP Broadcasts J.A. Terranson (Jul 13)
- Message not available
- Message not available
- Re: SNMP Broadcasts Mohit Muthanna (Jul 14)
- Message not available
- Re: SNMP Broadcasts J.A. Terranson (Jul 13)
- Re: SNMP Broadcasts Mohit Muthanna (Jul 14)
- <Possible follow-ups>
- Re: SNMP Broadcasts Martin Wasson (Jul 15)
- Re: SNMP Broadcasts J.A. Terranson (Jul 15)
- Re: SNMP Broadcasts tshilson (Jul 15)
- Re: SNMP Broadcasts Barry Fitzgerald (Jul 16)
- Re: SNMP Broadcasts J.A. Terranson (Jul 16)
- Re: SNMP Broadcasts Barry Fitzgerald (Jul 16)
- Re: SNMP Broadcasts J.A. Terranson (Jul 16)
- Re: SNMP Broadcasts Barry Fitzgerald (Jul 19)
- RE: SNMP Broadcasts Yaakov Yehudi (Jul 19)
- Re: SNMP Broadcasts J.A. Terranson (Jul 15)