?
Solved

Identifying Cisco 2507 SNMP OID

Posted on 2011-09-30
6
Medium Priority
?
684 Views
Last Modified: 2012-05-12
I have a student machine that is querying an OID.  I don't have a 2507( it appears in the logs of a linux server)  but I need to know what the computer is trying to do.  
The full OID is: 1.3.6.1.4.1.9.11.2.3.9.4.2.1.1.3.2.0 and using the tools available on the cisco website I can trace this down to: iso (1) . org (3) . dod (6) . internet (1) . private (4) . enterprises (1) . cisco (9) . ciscoAdmin (11) . ciscoRptrGroupObjectID (2) . cisco2507RptrGroup (3) which looks to me like it is trying to mirror a port (SWAG.)  but what does the remaining 9.4.2.1.1.3.2.0 actually point to in the mib tree?  

Also any ideas about the kind of program that might be trying this query would be appreciated.  This is a private High School and I don't think the kids are actively trying to manage the network.  So it is probably some form of malware.

Mark
0
Comment
Question by:mhenwood
  • 2
  • 2
  • 2
6 Comments
 
LVL 81

Assisted Solution

by:arnold
arnold earned 600 total points
ID: 36895367
snmpwalk or snmpget/snmpset can be used.
configure an ACL to limit snmp requests and/or log the SNMP requests this way you can narrow the request to the source and than address it as you see fit.

Download and load up on the cisco mibs
ftp://ftp.cisco.com/pub/mibs/supportlists/c2500/c2500-supportlist.html
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.11.2.3&translate=Translate&submitValue=SUBMIT&submitClicked=true

Do not have a 2507 to poll and see what the cascade is.
The translator nor the browser goes down that far.

0
 
LVL 22

Expert Comment

by:eeRoot
ID: 36895384
I don't see any known malware associated with that OID string.  It may be an SNMP scanner or software that tries to locate and/or map out network devices.  Can you monitor the traffic hitting the server, watch for SNMP traffic, and identify the IP's

What version of Linux is this, do you have any packet analyzing software loaded on it?
0
 
LVL 1

Author Comment

by:mhenwood
ID: 36896357
I don't have a 2507 so the SNMP get/walk won't work.  I have tried to figure out what MIB to download but can't figure out the which file breaks down the cisco2507RptrGroup MIB.  
I know the IP of the requestor, it is a student on our secure wireless network.  He is not know for being a hacker and probably doesn't know his computer is doing this.
The linux machine is a virtual machine appliance that runs the vSphere Management Assistant.  I believe it is a Cent OS with a 2.6.18 kernel.  It does not appear to have an X Server but I could probably use tcpdump.  I am setting up the sever so at present it is not doing much and could probably afford to log everything from the suspect IP.  
One of the reasons I am interested in this is to understand how to trace this kind of thing.  How did you go about verifying that no known malware uses this OID, if you don't mind my asking?

Mark
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 81

Expert Comment

by:arnold
ID: 36897246
The user may have downloaded a CCNA/router simulation tool set.
The user might be trying to learn the use of the SNMP tools and then practice sending SNMP commands.

Did a quick search and CNET has 2500 router simulation tools as well as others.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 900 total points
ID: 36898571
If you know the IP of the source, there isn't much else to do but see what software is running on that PC.  I looked it up by checking for references to that OID string on Symantec's, F secure's, and Cisco's websites.
0
 
LVL 1

Author Closing Comment

by:mhenwood
ID: 36902854
Still don't know what that OID is.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Is your computer hacked? learn how to detect and delete malware in your PC
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question