Suricata detecting outbound SNMP on WAN interface

Started by Xelas, January 05, 2022, 12:05:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 05, 2022, 12:05:45 AM Last Edit: January 11, 2022, 04:24:14 AM by Xelas
I don't have SNMP services installed, but Suricata is consistently logging and blocking SNMP traffic on the WAN interface going to a private IP. I don't use that private IP range on any LAN or VLANs I have.



 
   
   
   
   
   
   
Timestamp  |SID  |Action|Source|Port|Destination|Port|Alert
2022-01-04T14:59:45.775134-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:45.775134-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:36.676334-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:36.676334-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp
2022-01-04T14:59:26.612630-0800 |2101411 |blocked |(my WAN1 public IP) |8323 |10.10.20.60 |161 |GPL SNMP public access udp

sudo sockstat -4 doesn't show any processes listening on port 161.

How can I track down what seems to be sending SNMP traffic from the WAN interface?



ProtectLi FW6 | Intel i3-7100U CPU @ 2.40GHz (4 cores) | 8GB RAM | 120GB SSD
Prod Release Train.
January 11, 2022, 02:51:58 AM #1
<bump> and additional info:
I'm only running 4 additional plugins:
os-dmidecode
os-dyndns
wireguard-go
os-redis

I have 2 WAN connections with 2 gateways (primary and failover), but even if I shut down the failover and put a check on "Disable Gateway Monitoring", I still see the ICMP packets logged in IDS.

Still want to know what is sending those SNMP probes from the public IP of the WAN1 port. What's interesting is that there are no probes being sent form the WAN2 port, although it's truly only a failover, not a load balance, and the WAN2 connection is only active if WAN1 fails.
ProtectLi FW6 | Intel i3-7100U CPU @ 2.40GHz (4 cores) | 8GB RAM | 120GB SSD
Prod Release Train.
January 11, 2022, 08:15:58 AM #2
Windows stalking a HP printer over VPN?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 11, 2022, 08:43:42 AM #3
Try `tcpdump -i <your-lan-if> -n port 161`.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 11, 2022, 06:24:57 PM #4
Quote from: chemlud on January 11, 2022, 08:15:58 AM
Windows stalking a HP printer over VPN?

I don't think so. Traffic to private IP ranges should be blocked by the firewall from leaking out onto the WAN (and I know I have those rules in place to do so), so this shouldn't be traffic coming from any LAN. It has to be generated by opnsense itself and it seems to be originating right at the WAN port. I'm running on bare metal so there is no hypervisor or host that could be doing this, either.

pmhausen, I'll try the tcpdump command later today after the workday.
ProtectLi FW6 | Intel i3-7100U CPU @ 2.40GHz (4 cores) | 8GB RAM | 120GB SSD
Prod Release Train.
Print
Go Up Pages1
User actions