Question

NetSight: Trap Log filling Up with Junk


Userlevel 2
So there are a couple of computers on campus which run software that actively goes out and "seeks" for Multi-Function Printers and gets a status from them using snmp V1 with the public community string. It runs through the entire network and retrieves responses back from the printers on their health, and more importantly, how many pages they printed for accounting purposes.

Since we don't use SNMP V1 on any of our devices, these queries are getting rejected and in turn filling up the trap log with "Incorrect Community Name" messages. Hundreds of them.

Needless to say, this is quite annoying and when we go to look for legitimate traps in the NetSight log they've been overrun by this junk.

Any ideas on what to do about this? The software needs to check so I'm not terribly concerned about the methodology, but I would like them to stop showing up in the trap log so we can get more meaningful information from it.

Thank you in advance!

2 replies

Userlevel 4
The traps are expected if someone has your SNMP stations IP address. The best way to handle this is to capture snmp traffic with an sniffer.
another way (if using something like a SecureStack or S series) is to put in a manual policy to block SNMP such as the following examples:

set policy profile 45 name NoNo set policy rule 45 ipsourcesocket 10.26.196.5 mask 32 drop set policy rule 45 udpdestport 161 drop set policy rule 45 macsource 00-00-00-00-00-00 mask 48 drop set policy rule 45 ipsourcesocket 10.26.255.255:161 mask 48 drop
Userlevel 2
Jason, This looks great. I'll try putting this policy in place. I'll let you know how it went. Thanks!

Reply