"Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below."
"III. Solution
"Change default community strings:
"Most SNMP-enabled products ship with default community strings of "public" for read-only access and "private" for read-write access. As with any known default access control mechanism, the CERT/CC recommends that network administrators change these community strings to something of their own choosing. However, even when community strings are changed from their defaults, they will still be passed in plaintext and are therefore subject to packet sniffing attacks. SNMPv3 offers additional capabilities to ensure authentication and privacy as described in RFC2574."
snort2html.plx:
Mar 12 23:59:38 - snort [1:0:0] UDP to 161 snmp
Source IP: 63.105.155.50 Source port: 12542
Source host: masq.railamerica.com
Target IP: 12.82.141.8 Target port: 161 Proto: UDP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
snort packet dump:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/12-23:59:38.170060 63.105.155.50:12542 -> 12.82.141.8:161
UDP TTL:112 TOS:0x0 ID:53838 IpLen:20 DgmLen:265
Len: 245
30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public..
DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0..
07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+.
01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+....
01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+.......
06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........
05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+.........
05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+.........
01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+.......
09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+.....
02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+...
01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+.
01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+
06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0...
2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
===============================================================================
Snort processed 1 packets.
Breakdown by protocol: Action Stats:
TCP: 0 (0.000%) ALERTS: 0
UDP: 1 (100.000%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
===============================================================================
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 63.105.155.50
connecting to whois.arin.net [63.146.182.182:43] ...
UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63
63.64.0.0 - 63.127.255.255
Railtex (NETBLK-UU-63-105-155)UU-63-105-155
63.105.155.0 - 63.105.155.255
Request: NETBLK-UU-63-105-155@whois.arin.net
connecting to whois.arin.net [63.146.182.182:43] ...
Railtex (NETBLK-UU-63-105-155)
4040 Broadway
San Antonio, TX 78209
US
Netname: UU-63-105-155
Netblock: 63.105.155.0 - 63.105.155.255
Coordinator:
Burgess, John (JB1444-ARIN) jburgess@railtex.com
210-841-8258
Record last updated on 07-Jun-2000.
Database last updated on 15-Mar-2002 19:57:41 EDT.
host:
[toot@sparky /storage/snort/old_snorts/031202]# host 63.105.155.50
50.155.105.63.in-addr.arpa. domain name pointer masq.railamerica.com.