Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Identifying Cisco 2507 SNMP OID

Posted on 2011-09-30
6
Medium Priority
?
680 Views
Last Modified: 2012-05-12
I have a student machine that is querying an OID.  I don't have a 2507( it appears in the logs of a linux server)  but I need to know what the computer is trying to do.  
The full OID is: 1.3.6.1.4.1.9.11.2.3.9.4.2.1.1.3.2.0 and using the tools available on the cisco website I can trace this down to: iso (1) . org (3) . dod (6) . internet (1) . private (4) . enterprises (1) . cisco (9) . ciscoAdmin (11) . ciscoRptrGroupObjectID (2) . cisco2507RptrGroup (3) which looks to me like it is trying to mirror a port (SWAG.)  but what does the remaining 9.4.2.1.1.3.2.0 actually point to in the mib tree?  

Also any ideas about the kind of program that might be trying this query would be appreciated.  This is a private High School and I don't think the kids are actively trying to manage the network.  So it is probably some form of malware.

Mark
0
Comment
Question by:mhenwood
  • 2
  • 2
  • 2
6 Comments
 
LVL 80

Assisted Solution

by:arnold
arnold earned 600 total points
ID: 36895367
snmpwalk or snmpget/snmpset can be used.
configure an ACL to limit snmp requests and/or log the SNMP requests this way you can narrow the request to the source and than address it as you see fit.

Download and load up on the cisco mibs
ftp://ftp.cisco.com/pub/mibs/supportlists/c2500/c2500-supportlist.html
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.11.2.3&translate=Translate&submitValue=SUBMIT&submitClicked=true

Do not have a 2507 to poll and see what the cascade is.
The translator nor the browser goes down that far.

0
 
LVL 22

Expert Comment

by:eeRoot
ID: 36895384
I don't see any known malware associated with that OID string.  It may be an SNMP scanner or software that tries to locate and/or map out network devices.  Can you monitor the traffic hitting the server, watch for SNMP traffic, and identify the IP's

What version of Linux is this, do you have any packet analyzing software loaded on it?
0
 
LVL 1

Author Comment

by:mhenwood
ID: 36896357
I don't have a 2507 so the SNMP get/walk won't work.  I have tried to figure out what MIB to download but can't figure out the which file breaks down the cisco2507RptrGroup MIB.  
I know the IP of the requestor, it is a student on our secure wireless network.  He is not know for being a hacker and probably doesn't know his computer is doing this.
The linux machine is a virtual machine appliance that runs the vSphere Management Assistant.  I believe it is a Cent OS with a 2.6.18 kernel.  It does not appear to have an X Server but I could probably use tcpdump.  I am setting up the sever so at present it is not doing much and could probably afford to log everything from the suspect IP.  
One of the reasons I am interested in this is to understand how to trace this kind of thing.  How did you go about verifying that no known malware uses this OID, if you don't mind my asking?

Mark
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 80

Expert Comment

by:arnold
ID: 36897246
The user may have downloaded a CCNA/router simulation tool set.
The user might be trying to learn the use of the SNMP tools and then practice sending SNMP commands.

Did a quick search and CNET has 2500 router simulation tools as well as others.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 900 total points
ID: 36898571
If you know the IP of the source, there isn't much else to do but see what software is running on that PC.  I looked it up by checking for references to that OID string on Symantec's, F secure's, and Cisco's websites.
0
 
LVL 1

Author Closing Comment

by:mhenwood
ID: 36902854
Still don't know what that OID is.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question