Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Identifying Cisco 2507 SNMP OID

Posted on 2011-09-30
6
Medium Priority
?
670 Views
Last Modified: 2012-05-12
I have a student machine that is querying an OID.  I don't have a 2507( it appears in the logs of a linux server)  but I need to know what the computer is trying to do.  
The full OID is: 1.3.6.1.4.1.9.11.2.3.9.4.2.1.1.3.2.0 and using the tools available on the cisco website I can trace this down to: iso (1) . org (3) . dod (6) . internet (1) . private (4) . enterprises (1) . cisco (9) . ciscoAdmin (11) . ciscoRptrGroupObjectID (2) . cisco2507RptrGroup (3) which looks to me like it is trying to mirror a port (SWAG.)  but what does the remaining 9.4.2.1.1.3.2.0 actually point to in the mib tree?  

Also any ideas about the kind of program that might be trying this query would be appreciated.  This is a private High School and I don't think the kids are actively trying to manage the network.  So it is probably some form of malware.

Mark
0
Comment
Question by:mhenwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 79

Assisted Solution

by:arnold
arnold earned 600 total points
ID: 36895367
snmpwalk or snmpget/snmpset can be used.
configure an ACL to limit snmp requests and/or log the SNMP requests this way you can narrow the request to the source and than address it as you see fit.

Download and load up on the cisco mibs
ftp://ftp.cisco.com/pub/mibs/supportlists/c2500/c2500-supportlist.html
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.11.2.3&translate=Translate&submitValue=SUBMIT&submitClicked=true

Do not have a 2507 to poll and see what the cascade is.
The translator nor the browser goes down that far.

0
 
LVL 22

Expert Comment

by:eeRoot
ID: 36895384
I don't see any known malware associated with that OID string.  It may be an SNMP scanner or software that tries to locate and/or map out network devices.  Can you monitor the traffic hitting the server, watch for SNMP traffic, and identify the IP's

What version of Linux is this, do you have any packet analyzing software loaded on it?
0
 
LVL 1

Author Comment

by:mhenwood
ID: 36896357
I don't have a 2507 so the SNMP get/walk won't work.  I have tried to figure out what MIB to download but can't figure out the which file breaks down the cisco2507RptrGroup MIB.  
I know the IP of the requestor, it is a student on our secure wireless network.  He is not know for being a hacker and probably doesn't know his computer is doing this.
The linux machine is a virtual machine appliance that runs the vSphere Management Assistant.  I believe it is a Cent OS with a 2.6.18 kernel.  It does not appear to have an X Server but I could probably use tcpdump.  I am setting up the sever so at present it is not doing much and could probably afford to log everything from the suspect IP.  
One of the reasons I am interested in this is to understand how to trace this kind of thing.  How did you go about verifying that no known malware uses this OID, if you don't mind my asking?

Mark
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 79

Expert Comment

by:arnold
ID: 36897246
The user may have downloaded a CCNA/router simulation tool set.
The user might be trying to learn the use of the SNMP tools and then practice sending SNMP commands.

Did a quick search and CNET has 2500 router simulation tools as well as others.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 900 total points
ID: 36898571
If you know the IP of the source, there isn't much else to do but see what software is running on that PC.  I looked it up by checking for references to that OID string on Symantec's, F secure's, and Cisco's websites.
0
 
LVL 1

Author Closing Comment

by:mhenwood
ID: 36902854
Still don't know what that OID is.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question