GPL SNMP public access udp [Classification: Attempted Information Leak]

[packetsmacker]

How can I investigate this alert? If I group by srcip I can see the top IP is our print server. The other servers in the list do a number of different jobs and are a mix of Windows and Linux. I am having a hard time determining if this is a false positive.

A few months ago I created a rewrite rule in /etc/nsm/rules/local.rules and added all the print servers there. I followed the steps from the wiki. I still see the IPs I put in the rewrite rule so I am not sure how it works. The way I read the rewrite rule is I wouldn't see the alert if the srcip was in my variable which list the print server. This my need a post by itself to troubleshoot the rewrite rule.

I was trying to do the rewite and not disable this alert because I heard a talk at a security con about using SNMP to exfil data. I cant seem to find the talk or any good info on SNMP being used for exfil.

This is by far the noisiest alert that I have.

[Wes]

I've had this problem before when users were directly mapped to printers and the printers and/or the printers were configured to use a default public community string.

I saw a large drop in alerts after machines were configured to use an appropriate server and SNMP was disabled.

I would work to fix this, as it is a legitimate case. Check your print server and its SNMP settings, as well as any other printers/devices that may be alerted upon.

See the following for more background (a little dated, but still useful):
https://www.giac.org/paper/gcih/44/default-snmp-community-strings-set-public-private/100366

Thanks,
Wes

[packetsmacker]

Thanks. I read the doc. Now I just have to figure out a way to turn it off. Nice explanation of MIBs.