what is this snort logged????
This is a discussion on what is this snort logged???? within the Linux Security forums, part of the System Security and Security Related category; Helol! Snort on my machine logged and still logging all time: [**] [1:1416:2] SNMP broadcast trap [**] [Classification: Attempted Information ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-26-2004
|
|||
|
|||
what is this snort logged????
Helol!
Snort on my machine logged and still logging all time: [**] [1:1416:2] SNMP broadcast trap [**] [Classification: Attempted Information Leak] [Priority: 2] 01/26-18:05:34.998533 10.10.10.50:162 -> 255.255.255.255:162 UDP TTL:64 TOS:0x0 ID:600 IpLen:20 DgmLen:110 Len: 82 [**] [1:1416:2] SNMP broadcast trap [**] [Classification: Attempted Information Leak] [Priority: 2] 01/26-18:05:35.027692 10.10.10.50:162 -> 255.255.255.255:162 UDP TTL:64 TOS:0x0 ID:601 IpLen:20 DgmLen:110 Len: 82 [**] [1:1419:2] SNMP trap udp [**] [Classification: Attempted Information Leak] [Priority: 2] 01/26-18:05:35.300052 212.76.145.145[MY IP]:162 -> 10.10.10.50:162 UDP TTL:64 TOS:0x0 ID:3087 IpLen:20 DgmLen:86 Len: 58 I have other mask not 255.255.255.255 logs are big and a lot :/ what's going on???who can help me??? thank You! 
|
|
02-25-2004
|
|||
|
|||
|
Re: what is this snort logged????
Adriano Susa wrote:
> Helol! > Snort on my machine logged and still logging all time: > [**] [1:1416:2] SNMP broadcast trap [**] > [Classification: Attempted Information Leak] [Priority: 2] > 01/26-18:05:34.998533 10.10.10.50:162 -> 255.255.255.255:162 > UDP TTL:64 TOS:0x0 ID:600 IpLen:20 DgmLen:110 > Len: 82 > > [**] [1:1416:2] SNMP broadcast trap [**] > [Classification: Attempted Information Leak] [Priority: 2] > 01/26-18:05:35.027692 10.10.10.50:162 -> 255.255.255.255:162 > UDP TTL:64 TOS:0x0 ID:601 IpLen:20 DgmLen:110 > Len: 82 > > [**] [1:1419:2] SNMP trap udp [**] > [Classification: Attempted Information Leak] [Priority: 2] > 01/26-18:05:35.300052 212.76.145.145[MY IP]:162 -> 10.10.10.50:162 > UDP TTL:64 TOS:0x0 ID:3087 IpLen:20 DgmLen:86 > Len: 58 > > > > I have other mask not 255.255.255.255 > logs are big and a lot :/ > what's going on???who can help me??? > > thank You! > the alert gives you all the information you need. the first two alerts show an snmp trap broadcast (255.255.255.255) from ip 10.10.10.50. This kind of broadcasts could be used to gather information about devices running an snmp daemon on a standard port within a broadcast domain. An attacker then could try to exploit know snmp vulnerabilities to that device. This could also be a false positive if there is some kind of snmp collection tool running on the host sending the broadcasts. if you find the source an you are sure you want it to broadcast your network regulary (which is kind of strange) you could modify the rule responsible for this alert in snmp.rules which should look like: alert udp any any -> 255.255.255.255 161 you could change it to alert udp $EXTERNAL_NET any -> 255.255.255.255 161 then only broadcasts coming from external ip adr. would cause an alert. On the other hand an attacker with a spoofed ip would not generate alerts. the third alert could be generated because of an answer to the broadcast. Sender is a device with an official IP i.e an snmp enabled internet router.
|
Linear Mode
