Just saw this in my portscan log (via snort) and decided to share with the community so we can figure out who is scanning with what tools and for what purpose(investigative or malicious). Seems like they scan my 5 IP block 3 times Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.50:161 UDP Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.52:161 UDP Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.53:161 UDP Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.54:161 UDP Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.55:161 UDP Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.51:161 UDP Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.50:161 UDP Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.55:161 UDP Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.54:161 UDP Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.52:161 UDP Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.53:161 UDP Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.54:161 UDP Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.55:161 UDP Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.50:161 UDP Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.51:161 UDP Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.52:161 UDP ======================================================= I have some generic snmp rules to catch all SNMP scans/probes. Here is a sample packet that got [**] SNMP/udp public access [**] 02/17-20:21:06.412571 0:A0:C5:E5:F6:93 -> 0:10:5A:F:34:B1 type:0x800 len:0x61 67.113.159.146:1504 -> X.X.X.50:161 UDP TTL:114 TOS:0x0 ID:55265 IpLen:20 DgmLen:83 Len: 63 30 35 02 01 00 04 06 70 75 62 6C 69 63 A1 28 02 05.....public.(. 04 3C 69 F1 B9 02 01 00 02 01 00 30 1A 30 0B 06 .<i........0.0.. 07 2B 06 01 02 01 01 02 05 00 30 0B 06 07 2B 06 .+........0...+. 01 02 01 01 01 05 00 ....... Every packet looks exactly the same. Wonder if this is the SANS snmp scanning tool? ====================================================================== Name: adsl-67-113-159-146.dsl.sntc01.pacbell.net Address: 67.113.159.146 George S Granados (NETBLK-SBC-06711315914429) San Francisco, Ca 94104 US Netname: SBC-06711315914429 Netblock: 67.113.159.144 - 67.113.159.151 Coordinator: Pacific Bell Internet (PIA2-ORG-ARIN) ip-adminat_private 888-212-5411 Seems like ol pacbell gives info on who they give IP blocks to! ;) Do you think we should be reporting snmp scans to ISPs or just a waste of time? ================================================================== Peter -- Peter E. Johnson Securityflaw http://www.securityflaw.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 23:42:28 PST