Solved

Identifying Cisco 2507 SNMP OID

Posted on 2011-09-30
6
648 Views
Last Modified: 2012-05-12
I have a student machine that is querying an OID.  I don't have a 2507( it appears in the logs of a linux server)  but I need to know what the computer is trying to do.  
The full OID is: 1.3.6.1.4.1.9.11.2.3.9.4.2.1.1.3.2.0 and using the tools available on the cisco website I can trace this down to: iso (1) . org (3) . dod (6) . internet (1) . private (4) . enterprises (1) . cisco (9) . ciscoAdmin (11) . ciscoRptrGroupObjectID (2) . cisco2507RptrGroup (3) which looks to me like it is trying to mirror a port (SWAG.)  but what does the remaining 9.4.2.1.1.3.2.0 actually point to in the mib tree?  

Also any ideas about the kind of program that might be trying this query would be appreciated.  This is a private High School and I don't think the kids are actively trying to manage the network.  So it is probably some form of malware.

Mark
0
Comment
Question by:mhenwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 78

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 36895367
snmpwalk or snmpget/snmpset can be used.
configure an ACL to limit snmp requests and/or log the SNMP requests this way you can narrow the request to the source and than address it as you see fit.

Download and load up on the cisco mibs
ftp://ftp.cisco.com/pub/mibs/supportlists/c2500/c2500-supportlist.html
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.11.2.3&translate=Translate&submitValue=SUBMIT&submitClicked=true

Do not have a 2507 to poll and see what the cascade is.
The translator nor the browser goes down that far.

0
 
LVL 22

Expert Comment

by:eeRoot
ID: 36895384
I don't see any known malware associated with that OID string.  It may be an SNMP scanner or software that tries to locate and/or map out network devices.  Can you monitor the traffic hitting the server, watch for SNMP traffic, and identify the IP's

What version of Linux is this, do you have any packet analyzing software loaded on it?
0
 
LVL 1

Author Comment

by:mhenwood
ID: 36896357
I don't have a 2507 so the SNMP get/walk won't work.  I have tried to figure out what MIB to download but can't figure out the which file breaks down the cisco2507RptrGroup MIB.  
I know the IP of the requestor, it is a student on our secure wireless network.  He is not know for being a hacker and probably doesn't know his computer is doing this.
The linux machine is a virtual machine appliance that runs the vSphere Management Assistant.  I believe it is a Cent OS with a 2.6.18 kernel.  It does not appear to have an X Server but I could probably use tcpdump.  I am setting up the sever so at present it is not doing much and could probably afford to log everything from the suspect IP.  
One of the reasons I am interested in this is to understand how to trace this kind of thing.  How did you go about verifying that no known malware uses this OID, if you don't mind my asking?

Mark
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 78

Expert Comment

by:arnold
ID: 36897246
The user may have downloaded a CCNA/router simulation tool set.
The user might be trying to learn the use of the SNMP tools and then practice sending SNMP commands.

Did a quick search and CNET has 2500 router simulation tools as well as others.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 300 total points
ID: 36898571
If you know the IP of the source, there isn't much else to do but see what software is running on that PC.  I looked it up by checking for references to that OID string on Symantec's, F secure's, and Cisco's websites.
0
 
LVL 1

Author Closing Comment

by:mhenwood
ID: 36902854
Still don't know what that OID is.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question