possible slooow SNMP scan

[Rich Puhek <rpuhek () etnsystems com>]

Given the recent discussion on SNMP vulnerabilities, I decided to look
at my router logs this afternoon. I only found three drops on
connections to port 161 in today's logs, and I found four in
yesterday's. I did see an interesting correlation though. Sanitized logs
follow:

$ grep "list 100" /var/log/routers.log
Feb 14 14:35:44 <MYROUTER> 72458: 1w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_ONE>.54(161), 1 packet
Feb 14 15:25:22 <MYROUTER> 72820: 1w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_TWO>.54(161), 1 packet
Feb 14 15:29:27 <MYROUTER> 72843: 1w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_THREE>.54(161), 1 packet
$ grep "list 100" /var/log/routers.log.0
Feb 13 07:18:17 <MYROUTER> 59882: 5d17h: %SEC-6-IPACCESSLOGP: list 100
denied udp OTHER_SOURCE(2955) -> <MY_NET_THREE>.208(161), 1 packet
Feb 14 05:43:24 <MYROUTER> 68696: 6d15h: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_ONE>.53(161), 1 packet
Feb 14 06:30:19 <MYROUTER> 68984: 6d16h: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_TWO>.53(161), 1 packet
Feb 14 06:34:04 <MYROUTER> 69004: 6d16h: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_THREE>.53(161), 1 packet

(times are local, UTC-6)

the <SOURCE> IP was the same in each case (somewhere out in Finland,
according to RIPE). The "MY_NET_ONE" is one of my networks, the
"MY_NET_TWO" is another one of my networks, and the "MY_NET_THREE" is a
third. A couple of observations of the networks involved:

1) The three networks were scanned in order (lowest number 1st).
2) I have additional netblocks that sit between "MY_NET_ONE" and
"MY_NET_TWO" that did not get connections attempted.
3) MY_NET_THREE is actually a /22. I don't know if the scanner realized
that it was not a class C, but they did not scan each /24 in the net.
4) I don't have any hosts (running SNMP or otherwise) on .53 or .54 on
any of the networks.
5) MY_NET_TWO and MY_NET_THREE are on the same /8, but MY_NET_ONE is on
a different /8 altogether.

Has anyone seen anything similar?


-- Rich

_________________________________________________________
                         
Rich Puhek               
ETN Systems Inc.         
_________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com