Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

Identifying Cisco 2507 SNMP OID

I have a student machine that is querying an OID.  I don't have a 2507( it appears in the logs of a linux server)  but I need to know what the computer is trying to do.  
The full OID is: 1.3.6.1.4.1.9.11.2.3.9.4.2.1.1.3.2.0 and using the tools available on the cisco website I can trace this down to: iso (1) . org (3) . dod (6) . internet (1) . private (4) . enterprises (1) . cisco (9) . ciscoAdmin (11) . ciscoRptrGroupObjectID (2) . cisco2507RptrGroup (3) which looks to me like it is trying to mirror a port (SWAG.)  but what does the remaining 9.4.2.1.1.3.2.0 actually point to in the mib tree?  

Also any ideas about the kind of program that might be trying this query would be appreciated.  This is a private High School and I don't think the kids are actively trying to manage the network.  So it is probably some form of malware.

Mark
0
mhenwood
Asked:
mhenwood
  • 2
  • 2
  • 2
2 Solutions
 
arnoldCommented:
snmpwalk or snmpget/snmpset can be used.
configure an ACL to limit snmp requests and/or log the SNMP requests this way you can narrow the request to the source and than address it as you see fit.

Download and load up on the cisco mibs
ftp://ftp.cisco.com/pub/mibs/supportlists/c2500/c2500-supportlist.html
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.11.2.3&translate=Translate&submitValue=SUBMIT&submitClicked=true

Do not have a 2507 to poll and see what the cascade is.
The translator nor the browser goes down that far.

0
 
eeRootCommented:
I don't see any known malware associated with that OID string.  It may be an SNMP scanner or software that tries to locate and/or map out network devices.  Can you monitor the traffic hitting the server, watch for SNMP traffic, and identify the IP's

What version of Linux is this, do you have any packet analyzing software loaded on it?
0
 
mhenwoodAuthor Commented:
I don't have a 2507 so the SNMP get/walk won't work.  I have tried to figure out what MIB to download but can't figure out the which file breaks down the cisco2507RptrGroup MIB.  
I know the IP of the requestor, it is a student on our secure wireless network.  He is not know for being a hacker and probably doesn't know his computer is doing this.
The linux machine is a virtual machine appliance that runs the vSphere Management Assistant.  I believe it is a Cent OS with a 2.6.18 kernel.  It does not appear to have an X Server but I could probably use tcpdump.  I am setting up the sever so at present it is not doing much and could probably afford to log everything from the suspect IP.  
One of the reasons I am interested in this is to understand how to trace this kind of thing.  How did you go about verifying that no known malware uses this OID, if you don't mind my asking?

Mark
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
arnoldCommented:
The user may have downloaded a CCNA/router simulation tool set.
The user might be trying to learn the use of the SNMP tools and then practice sending SNMP commands.

Did a quick search and CNET has 2500 router simulation tools as well as others.
0
 
eeRootCommented:
If you know the IP of the source, there isn't much else to do but see what software is running on that PC.  I looked it up by checking for references to that OID string on Symantec's, F secure's, and Cisco's websites.
0
 
mhenwoodAuthor Commented:
Still don't know what that OID is.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now