Snort mailing list archives
Re: SNMP public access udp
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 19 Mar 2003 13:57:39 -0500
This means that snort saw a SNMP packet (used to administer devices such as switches) which was accessing (or attempting to access) the "public" SNMP community, a common default setting in devices. (actually, it triggers on any snmp packet containing the word "public".)
Based on what you show of IP addresses.. this is traffic within your network, and is probably normal. I'd be concerned if either machine wasn't one I controlled. I'd also consider changing my SNMP community strings to something other than public.
You should strongly consider doing some reading on network admin, it sounds like you lack a lot of background needed to make sense of snort output. Might I suggest reading the message I posted to snort-users earlier today under the subject "Re: [Snort-users] Snort Alerts". It's got some pointers to some good basic background reading.
At 07:01 AM 3/19/2003 -0800, you wrote:
Whats this SNMP public access UDP attack?? When does this happen?? Is there a possibility of a false positive associated with this attack?01/29-00:08:42.970081 [**] [1:1411:2] <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/sig/sigsid-1411.html>SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/132/170/107/src132.170.107.88.html>132.xxx.xxx.88:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=1030&protocol=UDP>1030 -> <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/132/170/108/dest132.170.108.75.html>132.xxx.xxx.75:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=161&protocol=UDP>161Clayton Do you Yahoo!?<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>Yahoo! Platinum - Watch CBS' NCAA March Madness, <http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>live on your desktop!
-------------------------------------------------------This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNMP public access udp Clayton Mascarenhas (Mar 19)
- Re: SNMP public access udp Matt Kettler (Mar 21)