Re: SNMP False Positives

From: Ben Klang (ben.klang@transchannel.com)
Date: Fri Apr 12 2002 - 16:42:05 EDT

• Next message: Leif Sawyer: "RE: SNMP False Positives"
• Previous message: Matthew Leeds: "Re: Problem with fport"
• In reply to: Cox, Michael: "SNMP False Positives"
• Next in thread: Leif Sawyer: "RE: SNMP False Positives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have noticed similar responses from our HP-UX boxes. This includes
HP-UX 10.20 and 11.00. Nessus reported that any string sent was a valid
community name.

-BAK

On Thu, 2002-04-11 at 15:26, Cox, Michael wrote:
> I'm getting a lot of "default community string enabled" false positives from
> Nessus, Retina, and verified with SNMPing.
>
> On certain boxes, Nessus and Retina report that every string they check is
> enabled. When running SNMPing and "pinging" a Solaris 8 box I am told the
> service is enabled and available. I get this response no matter what
> community string I use. The output from tcpdump is below which seems to say
> that the requested object doesn't exist. Can anyone help me out here and
> explain this? I've seen this 20-30 times (and I think they are all Solaris
> boxes, but I need to double-check). I'm guessing that they (Sun) don't
> implement the standard MIB II variables, or something, since the request is
> just asking for the system name. The tools must have been written to look
> for any GetResponse, even if it is an error. Of course, that raises the
> question of why Solaris is sending anything, even errors, to invalid
> communities; any request from an invalid community should be dropped. Or,
> maybe I'm barking up the wrong tree entirely, and someone will have a better
> answer.
>
> Many thanks in advance!
>
> Mike
>
>
> windump: listening on\Device\Packet_{BFF5A60B-F6E6-42FC-B01E-6C4CBD86B5FC}
> 15:20:46.996306 arp who-has hogan.itg.ti.com tell cna9815016
> 15:20:46.996718 arp reply hogan.itg.ti.com is-at 0:3:ba:8:50:3c
> 15:20:46.996731 cna9815016.1734 > hogan.itg.ti.com.161: |30|26|02|01SNMPv1
> |04|
> 06C=abc123 |a0|19GetRequest(25)|02|01|02|01|02|01|30|0e
> |30|0c|06|08system.sysNa
> me.0|05|00 (ttl 128, id 5981, bad cksum 0!)
> 15:20:46.997434 hogan.itg.ti.com.161 > cna9815016.1734: |30|26|02|01SNMPv1
> |04|
> 06C=abc123 |a2|19GetResponse(25)|02|01|02|01 noSuchName|02|01@1|30|0e
> |30|0c|06|
> 08system.sysName.0=|05|00 (DF) (ttl 255, id 25971)
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Leif Sawyer: "RE: SNMP False Positives"
• Previous message: Matthew Leeds: "Re: Problem with fport"
• In reply to: Cox, Michael: "SNMP False Positives"
• Next in thread: Leif Sawyer: "RE: SNMP False Positives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT