Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Xelas on January 05, 2022, 12:05:45 AM

Title: Suricata detecting outbound SNMP on WAN interface
Post by: Xelas on January 05, 2022, 12:05:45 AM
I don't have SNMP services installed, but Suricata is consistently logging and blocking SNMP traffic on the WAN interface going to a private IP. I don't use that private IP range on any LAN or VLANs I have.



 
   
   
   
   
   
   
Timestamp  |SID  |Action|Source|Port|Destination|Port|Alert
2022-01-04T14:59:45.775134-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:45.775134-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:36.676334-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:36.676334-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:26.612630-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp

sudo sockstat -4 doesn't show any processes listening on port 161.

How can I track down what seems to be sending SNMP traffic from the WAN interface?



Title: Re: Suricata detecting SNMP on WAN interface
Post by: Xelas on January 11, 2022, 02:51:58 AM
<bump> and additional info:
I'm only running 4 additional plugins:
os-dmidecode
os-dyndns
wireguard-go
os-redis

I have 2 WAN connections with 2 gateways (primary and failover), but even if I shut down the failover and put a check on "Disable Gateway Monitoring", I still see the ICMP packets logged in IDS.

Still want to know what is sending those SNMP probes from the public IP of the WAN1 port. What's interesting is that there are no probes being sent form the WAN2 port, although it's truly only a failover, not a load balance, and the WAN2 connection is only active if WAN1 fails.
Title: Re: Suricata detecting outbound SNMP on WAN interface
Post by: chemlud on January 11, 2022, 08:15:58 AM
Windows stalking a HP printer over VPN?
Title: Re: Suricata detecting outbound SNMP on WAN interface
Post by: Patrick M. Hausen on January 11, 2022, 08:43:42 AM
Try `tcpdump -i <your-lan-if> -n port 161`.
Title: Re: Suricata detecting outbound SNMP on WAN interface
Post by: Xelas on January 11, 2022, 06:24:57 PM
Quote from: chemlud on January 11, 2022, 08:15:58 AM
Windows stalking a HP printer over VPN?

I don't think so. Traffic to private IP ranges should be blocked by the firewall from leaking out onto the WAN (and I know I have those rules in place to do so), so this shouldn't be traffic coming from any LAN. It has to be generated by opnsense itself and it seems to be originating right at the WAN port. I'm running on bare metal so there is no hypervisor or host that could be doing this, either.

pmhausen, I'll try the tcpdump command later today after the workday.
Text only | Text with Images