Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: SNMP Broadcasts
From: Mohit Muthanna <mohit.muthanna () gmail com>
Date: Wed, 14 Jul 2004 13:30:03 -0400

Not much you can do to stop the
portscans.

Like hell there isn't.  F-I-R-E-W-A-L-L.

Agreed... they "block" the port scans... but they don't "stop" it
(which was my point). The portscans will continue for as long as the
trojan/scanner/scumoftheearth is running.

SNMP goes to ports 161 and 162, *only*.

No... those are just the default ports for the stock agents. Sysedge
(for example) uses 1691 for Get/Set requests.

This is not, *technically* SNMP, as it is not using it's assigned ports.
This is a variant, and interestingly, that port is assigned to

It is SNMP. Not a variant. It's just running on a different port.

In any case, sometimes the different applications running on a server
are SNMP enabled. And when you have the stock OS SNMP daemon listening
for SNMP requests on udp161, the applications cannot use that port.
They therefore resort to their own high port numbers.

System Edge is an extensible SNMP agent similar in many ways to
net-snmp. It provides more information than an OS's stock agent, but
it's still SNMP and not a variant.


        empire-empuma   1691/tcp    empire-empuma
        empire-empuma   1691/udp    empire-empuma

Unless Sysedge is the decendant of "empire-empuma", it doesn't belong
there either.

That is the case... Empire makes (made) sysedge:
http://www.empire.com/products/systemedge/index.htm

Could this be some kind of SNMP DoS as I get several/second ?

I'll tell you what it could (likely) be:

- An unconfigured SNMP agent on the network (on a Linux or Windows box maybe).

More specific: a misconfigured agent ont the LOCAL network segment.

agreed.

- Your service providers actual switch is misconfigured.

Not at all likely.

I've worked with (and currently work for) different service providers
in the Telco and IP space. The above is entirely likely. Even with the
most sophisticated network management tools, large service providers
still screw up bad. It's unfortunate.

I haven't heard of SNMP DoS's but hey... anythings possible.

I have, and have seen them, but that's not relevent here, as this guy's
entire post made obvious that SNMP was not involved.

okay.

I know I shouldn't be asking this, but...  Do you know how to use
Ethereal?

Good Call. It'll answer most of your questions.

Unfortunately, the odds of this kind of newbie being able to successfully
utilize it are slim.  Still, if he is going to ask for help with odd
packets, he must be able to document them, and this is the standard way to
do so.

agreed.

-- 
Mohit Muthanna, CISSP
[mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]