Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Suricata detecting outbound SNMP on WAN interface
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata detecting outbound SNMP on WAN interface (Read 3136 times)
Xelas
Newbie
Posts: 26
Karma: 0
Suricata detecting outbound SNMP on WAN interface
«
on:
January 05, 2022, 12:05:45 am »
I don't have SNMP services installed, but Suricata is consistently logging and blocking SNMP traffic on the WAN interface going to a private IP. I don't use that private IP range on any LAN or VLANs I have.
Timestamp
|SID
|Action
|Source
|Port
|Destination
|Port
|Alert
2022-01-04T14:59:45.775134-0800 |
2101411 |
blocked |
(my WAN1 public IP) |
8323 |
10.10.20.60 |
161 |
GPL SNMP public access udp
2022-01-04T14:59:45.775134-0800 |
2101411 |
blocked |
(my WAN1 public IP) |
8323 |
10.10.20.60 |
161 |
GPL SNMP public access udp
2022-01-04T14:59:36.676334-0800 |
2101411 |
blocked |
(my WAN1 public IP) |
8323 |
10.10.20.60 |
161 |
GPL SNMP public access udp
2022-01-04T14:59:36.676334-0800 |
2101411 |
blocked |
(my WAN1 public IP) |
8323 |
10.10.20.60 |
161 |
GPL SNMP public access udp
2022-01-04T14:59:26.612630-0800 |
2101411 |
blocked |
(my WAN1 public IP) |
8323 |
10.10.20.60 |
161 |
GPL SNMP public access udp
sudo sockstat -4 doesn't show any processes listening on port 161.
How can I track down what seems to be sending SNMP traffic from the WAN interface?
«
Last Edit: January 11, 2022, 04:24:14 am by Xelas
»
Logged
ProtectLi FW6 | Intel i3-7100U CPU @ 2.40GHz (4 cores) | 8GB RAM | 120GB SSD
Prod Release Train.
Xelas
Newbie
Posts: 26
Karma: 0
Re: Suricata detecting SNMP on WAN interface
«
Reply #1 on:
January 11, 2022, 02:51:58 am »
<bump> and additional info:
I'm only running 4 additional plugins:
os-dmidecode
os-dyndns
wireguard-go
os-redis
I have 2 WAN connections with 2 gateways (primary and failover), but even if I shut down the failover and put a check on "Disable Gateway Monitoring", I still see the ICMP packets logged in IDS.
Still want to know what is sending those SNMP probes from the public IP of the WAN1 port. What's interesting is that there are no probes being sent form the WAN2 port, although it's truly only a failover, not a load balance, and the WAN2 connection is only active if WAN1 fails.
Logged
ProtectLi FW6 | Intel i3-7100U CPU @ 2.40GHz (4 cores) | 8GB RAM | 120GB SSD
Prod Release Train.
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Suricata detecting outbound SNMP on WAN interface
«
Reply #2 on:
January 11, 2022, 08:15:58 am »
Windows stalking a HP printer over VPN?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: Suricata detecting outbound SNMP on WAN interface
«
Reply #3 on:
January 11, 2022, 08:43:42 am »
Try `tcpdump -i <your-lan-if> -n port 161`.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Xelas
Newbie
Posts: 26
Karma: 0
Re: Suricata detecting outbound SNMP on WAN interface
«
Reply #4 on:
January 11, 2022, 06:24:57 pm »
Quote from: chemlud on January 11, 2022, 08:15:58 am
Windows stalking a HP printer over VPN?
I don't think so. Traffic to private IP ranges should be blocked by the firewall from leaking out onto the WAN (and I know I have those rules in place to do so), so this shouldn't be traffic coming from any LAN. It has to be generated by opnsense itself and it seems to be originating right at the WAN port. I'm running on bare metal so there is no hypervisor or host that could be doing this, either.
pmhausen, I'll try the tcpdump command later today after the workday.
Logged
ProtectLi FW6 | Intel i3-7100U CPU @ 2.40GHz (4 cores) | 8GB RAM | 120GB SSD
Prod Release Train.
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Suricata detecting outbound SNMP on WAN interface