Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsSuspicious activity505Suspicious SNMP TrafficBase Event:Details:Response:Affected:SNMP_UNRECOGNIZED_SNMP_VERSIONThe SNMP version number was not a recognized value.Location and audit of victim is recommended.Hosts running SNMP agents or managers.False Positives: None known.References:RFC 1155 - SNMP v1 SpecificationsRFC 1157 - SNMP v1 SpecificationsRFC 1212 - SNMP v1 SpecificationsRFC 1901 - SNMP v2c SpecificationsRFC 1902 - SNMP v2c SpecificationsRFC 1903 - SNMP v2c SpecificationsRFC 1904 - SNMP v2c SpecificationsRFC 1905 - SNMP v2c SpecificationsRFC 1906 - SNMP v2c SpecificationsRFC 1907 - SNMP v2c SpecificationsRFC 1908 - SNMP v2c SpecificationsRFC 2571 - SNMP v3 SpecificationsRFC 2572 - SNMP v3 SpecificationsRFC 2573 - SNMP v3 SpecificationsRFC 2574 - SNMP v3 SpecificationsRFC 2575 - SNMP v3 SpecificationsSNMP FAQTelnet Failed LoginBase Event:Details:Response:Affected:TELNET_LOGIN_INCORRECTA Telnet connection was made, but the authentication resulted in failure. This may indicatesomeone attempting to compromise an account on the target system.If seen in sufficient volume or variation location and audit of client and server is recommended.No specific targets.False Positives: It is possible this is just someone mistyping a password though it does indicate the use of clear textlogons on your network which would pose a security risk since they are vulnerable to sniffing.ReferencesCAN-1999-0619http://www.whitehats.com (arachNIDS #127)Telnet SpecificationsTelnet Failed LoginBase Event:Details:Response:TELNET_ROOT_LOGIN_FAILEDA failed attempt was made to logon as root by means of Telnet. This may indicate someoneattempting to compromise a root account on the target system.Location and audit of client and server is recommended.