Security Incidents mailing list archives
SNMP Weirdness
From: "Keith Pachulski" <keithp () corp ptd net>
Date: Mon, 20 Jan 2003 14:10:15 -0500
Has anyone seen this behavior, if so care to share the details I orginally saw these from an internal firewall, after setting up a snort to grab the traffic I logged the following: [**] weirdness ensues [**] 01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161 UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265 Len: 245 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public.. DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0.. 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+. 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+.... 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+....... 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........ 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+......... 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+......... 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+....... 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+..... 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+... 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+. 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+ 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0... 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............ I have a few internal machines sending the same queries to the same address. Name: 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net Address: 192.0.0.192 |Keith A. Pachulski, PPS, GCIH, GCFW | IATFF Member| InfraGard Member| |PenTeleData/Prolog Internet Services | Network Security Engineer| |Phone: (800) 281-3564 x 2454 | Pager: 8884414569 () page metrocall com| |6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0| |"In God We Trust - - - All Others We Monitor"| |--- United States Navy Intelligence| ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SNMP Weirdness Keith Pachulski (Jan 23)
- Message not available
- Re: SNMP Weirdness Carlo Ottaviani (Jan 27)
- Message not available
- <Possible follow-ups>
- Re: SNMP Weirdness Michael Roberts (Jan 25)
- RE: SNMP Weirdness Smith, Donald (Jan 25)