Description
This article will explain what the "snmp_decoder: SNMP.Restricted.OID" message means.
Example of message that can be logged by the FortiGate :
Message meets Alert condition
The following intrusion was observed: "snmp_decoder: SNMP.Restricted.OID".
2009-09-18 09:25:12 device_id=FGaassddffgg log_id=0419070000 type=ips subtype=signature pri=alert vd=root policyid=2 serial=13082753 attack_id=294191112 severity=medium src=192.168.100.13 dst=192.168.110.100 src_port=2724 dst_port=161 src_int="port1" dst_int="wan1" status=detected proto=17 service=161/udp user=N/A group=N/A ref="http://www.fortinet.com/ids/VID294191112" count=1 msg="snmp_decoder: SNMP.Restricted.OID" |
Solution
The "snmp_decoder: SNMP.Restricted.OID message" is an anomaly message which indicates an attempt to access a restricted Object Identifier (OID) via Simple Network Management Protocol (SNMP).
This may however also suggest attack attempts like described on the following FortiGuard Center Resource Library page:
The OID's that would be detected under this vulnerability scope are the following :
.4.1.77.1.2
.2.1.10.23.2.3.1.5.2.1
.2.1.10.23.2.3.1.6.2.1
.4.1.11.2.3.9.1.1.13.0
.4.1.11.2.3.1.4.2.1.22
.2.1.1.1
.6.3.16.1.2.1.3
Once detected, this restricted OID will figure in the Attack Log of the FortiGate as a potential DOS attack.
Please note this IPS signature figures in the IPS engine but is not activated by default, therefore would have to be activated in UTM>Intrusion Protection>Configure IPS Override.
