All Apps and Add-ons
Highlighted

Is anyone else getting a lot of "Attack" messages in the /var/log/messages, Splunk forwarder server?

New Member

In the /var/log/messages, there are a lot of "Attack" messages.
I guess, it was made by SNMP config.

Have you exprienced anything like this ? How can I stop or prevent it ?

== snmp_ta app in splunk forwarder server
/apps/snmp_ta/local/inputs.conf

== /var/log/messages in splunk forwarder server
011SNMPv2-SMI::enterprises.8103.1.5 = STRING: "44826"#011SNMPv2-SMI::enterprises.8103.1.6 = STRING: **"**Attack Web SQLInjection(error message).****C"#011SNMPv2-SMI::enterprises.8103.1.7 = STRING: "..."#011SNMPv2-SMI::enterprises.8103.1.8 = STRING: "2018/05/13 10:45:53"#011SNMPv2-SMI::enterprises.8103.1.9 = STRING: "Alarm"#011SNMPv2-SMI::enterprises.8103.1.10 = STRING: "Protocol=[TCP], SNIPER_ID=[400], Risk=[Low], HackType[01100], HackCount=[1], EndDate=[]"


"#011SNMPv2-SMI::enterprises.8103.1.5 = STRING: "80"#011SNMPv2-SMI::enterprises.8103.1.6 = STRING: **"Directory Traversal Attack(/../../../)"**#011SNMPv2-SMI::enterprises.8103.1.7 = STRING: "..."#011SNMPv2-SMI::enterprises.8103.1.8 
Tags (1)
0 Karma