Skip to content

DET0453 Detection Strategy for SNMP (MIB Dump) on Network Devices

Item Value
ID DET0453
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1602.001 (SNMP (MIB Dump))

Analytics

Network Devices

AN1249

Defenders may observe suspicious SNMP MIB enumeration through abnormal queries for large sets of OIDs, repeated SNMP GETBULK/GETNEXT requests, or queries originating from non-administrative IP addresses. Anomalous use of community strings, authentication failures, or enumeration activity outside maintenance windows may also indicate attempts to dump MIB contents. Correlation across syslog, NetFlow, and SNMP audit data can reveal chains of behavior such as repeated authentication failures followed by successful large-scale OID retrieval.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) networkdevice:syslog Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests
Network Connection Creation (DC0082) NSM:Flow High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs
File Modification (DC0061) networkdevice:audit SNMP configuration changes, such as enabling read/write access or modifying community strings
Mutable Elements
Field Description
AuthorizedAdminIPs Expected IP ranges allowed to query SNMP. Deviation indicates possible misuse.
NormalSNMPQueryRate Baseline frequency and volume of SNMP queries; anomalies above threshold may indicate dumping.
CommunityStringPatterns Expected community strings (e.g., hashed or custom values). Unrecognized strings may signal abuse.
TimeWindow Time periods during which SNMP queries are authorized. Queries outside these hours may be malicious.