Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNMP public access udp

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 19 Mar 2003 13:57:39 -0500
This means that snort saw a SNMP packet (used to administer devices such as switches) which was accessing (or attempting to access) the "public" SNMP community, a common default setting in devices. (actually, it triggers on any snmp packet containing the word "public".)
Based on what you show of IP addresses.. this is traffic within your network, and is probably normal. I'd be concerned if either machine wasn't one I controlled. I'd also consider changing my SNMP community strings to something other than public.
You should strongly consider doing some reading on network admin, it sounds like you lack a lot of background needed to make sense of snort output. Might I suggest reading the message I posted to snort-users earlier today under the subject "Re: [Snort-users] Snort Alerts". It's got some pointers to some good basic background reading. 



At 07:01 AM 3/19/2003 -0800, you wrote:
Whats this SNMP public access UDP attack?? When does this happen?? Is there a possibility of a false positive associated with this attack?
01/29-00:08:42.970081 [**] [1:1411:2] <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/sig/sigsid-1411.html>SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/132/170/107/src132.170.107.88.html>132.xxx.xxx.88:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=1030&protocol=UDP>1030 -> <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/132/170/108/dest132.170.108.75.html>132.xxx.xxx.75:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=161&protocol=UDP>161 

Clayton



Do you Yahoo!?
<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>Yahoo! Platinum - Watch CBS' NCAA March Madness, <http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>live on your desktop! 



-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? 
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: