Question about SNMP detections

[GrassfedMeatSticks]

Hi,
We occasionally receive detections in groups of three like this:

Event 1: {"dst_host": "0.0.0.0", "dst_port": 161, "local_time": "2022-12-23 01:33:17.947719", "local_time_adjusted": "2022-12-22 19:33:17.947749", "logdata": {"COMMUNITY_STRING": "public", "REQUESTS": ["1.3.6.1.2.1.25.3.5.1.1", "1.3.6.1.4.1.11.2.3.9.1.1.1"]}, "logtype": 13001, "node_id": "opencanary-1", "src_host": "", "src_port": 49995, "utc_time": "2022-12-23 01:33:17.947742"}

Event 2: {"dst_host": "0.0.0.0", "dst_port": 161, "local_time": "2022-12-23 01:33:20.019206", "local_time_adjusted": "2022-12-22 19:33:20.019236", "logdata": {"COMMUNITY_STRING": "public", "REQUESTS": ["1.3.6.1.2.1.25.3.5.1.1", "1.3.6.1.4.1.11.2.3.9.1.1.1"]}, "logtype": 13001, "node_id": "opencanary-1", "src_host": "", "src_port": 49995, "utc_time": "2022-12-23 01:33:20.019229"}

Event 3: {"dst_host": "0.0.0.0", "dst_port": 161, "local_time": "2022-12-23 01:33:22.104133", "local_time_adjusted": "2022-12-22 19:33:22.104163", "logdata": {"COMMUNITY_STRING": "public", "REQUESTS": ["1.3.6.1.2.1.25.3.5.1.1", "1.3.6.1.4.1.11.2.3.9.1.1.1"]}, "logtype": 13001, "node_id": "opencanary-1", "src_host": "", "src_port": 49995, "utc_time": "2022-12-23 01:33:22.104155"}

I looked up the OIDs and they appear to map to a printer of some sort, but the src_host is a computer that is configured similar to hundreds of other computers. I've removed all proprietary printer (Epson) software from this device, but still receive these SNMP detections.

Is my understanding correct that something on this computer is trying to broadcast its SNMP information to an SNMP trap and it just so happened to hit my canary? Has anyone else picked up random SNMP detections like this?

[jayjb]

Hi @GrassfedMeatSticks,

Thanks for getting in touch with us. Looking at those OIDs, I'd agree with you that some software on that host is probing your Opencanary host with SNMP requests regarding an HP printer status.

If you have anymore information, I'd be happy to try figure out what is happening.

[GrassfedMeatSticks]

Thanks @jayjb

This is about all of the information I have.
I've inspected the software inventory on these computers but couldn't find any common titles. I uninstalled several pieces of Epson bloatware on one of the machines that still trips this alert.

In the grand scheme of things, it's like 2 or 3 computers out of 3,000+ that trigger this alert randomly.

I was hoping to try to understand these alerts from the other side. That is, what sort of attack is the canary trying to detect by listening on port 161? Why would a printer or printer software indiscriminately be spamming the network with traffic for 161?

[ChlorideCull]

Check what printers are configured on the machine - it's usually part of the driver software itself, not any external utilities. You could also just ask those employees what printers they have at home, and if they've used it with their work computer :)

I was hoping to try to understand these alerts from the other side. That is, what sort of attack is the canary trying to detect by listening on port 161? Why would a printer or printer software indiscriminately be spamming the network with traffic for 161?

It just happens that some printers send status commands (among other things) over SNMP - in this case it's probably trying to scan the network for printers so it can offer configuring them for the user, or configure things automatically. It sends out a couple, to avoid missing a printer due to packet loss.

An attacker trying to scan the network could also send a request to broadcast for, say, 1.3.6.1.4.1.674.10892.2.1.2.1, and all Dell servers configured for SNMP will helpfully respond with the version of their iDRAC (at least if I read the documentation correctly) if the community string matches, which lets you quickly find vulnerable ones. That's why you'd want to monitor requests like that.

[GrassfedMeatSticks]

Thanks for the explanation @ChlorideCull. That was what I was looking for.

I did remove the Epson driver via appwiz.cpl and re-installed the printer through Windows Metro settings for one specific user.

It is sporadic, but I don't think we've picked up any more detections from that specific computer since.

I am trying to follow up with other detections as they arise and seeing if I there is a driver listed in appwiz.cpl and if I can re-install the printer using native Windows drivers.