Hi,
We have a customer who is currently doing some compliance scanning, and have found port 161, SNMP Server, open for various periods throughout the day. Is Splunk guilty of this or does Splunk not use port 161 in this fashion?
Thanks!
Splunk does not use port 161.
See this recent answer regarding "Splunk"'s SNMP functionality: http://splunk-base.splunk.com/answers/58537/what-version-of-splunk-can-receive-traps-via-snmpv3
Splunk does not directly use SNMP. It may be an SNMP daemon that is running on the same server, ref the following for the splunk recommended practice http://docs.splunk.com/Documentation/Splunk/latest/Data/SendSNMPeventstoSplunk
Is it a *nix platform? - If so you can use netstat and ps to locate some more information...
netstat -antp | egrep '161|162'
This will show you what processes are using those ports, you can then find the PID in this information and use that in a ps
search...
ps -ef | grep <PID>
Okay cool!
I will have a look and see if it is a Daemon or something untoward doing the SNMP. I guess this is why PCI Compliance exists 🙂