a) The traps come in pairs, with the second trap
one to two seconds behind the first, or within
the same second. Other than the timing, the traps
are identical to traps that are issued when a tech
telnets into, changes access level, or drops a telnet
session with a Max.
b) I run a pretty tight ship, so sessions invoked by
authorized employees are logged. These traps are
not being caused by authorized personnel.
c) There appears to be no possible way for a human
to create two of these traps within a second
of each other. We have tried, and simply typing
passwords and navigating the Max user interface
takes too long.
d) Since the Ascend trap gives NO information as to
the source of the connection to the console, we
have watched traffic on the ethernet side of the
Maxen, to no avail.
e) When these traps are received, NOC staff quickly
look at Ascend's consoleInfoConsoleEntry, and have
consistently found no one connected to the Max in question.
f) We have audited the radius logs, and have not found
any single user who is consistently logged onto the
Maxen in question when these traps show up.
g) Passwords for all devices are changed weekly, the
Maxen among them.
h) All equipment is locked in unmanned locations and
protected by alarm systems, so we would tend to
know if someone was plugging a laptop into a Max. :)
i) Traps of this nature are a great concern, since they
imply a security problem - we want to know if anyone
attempts to "break into" our infrastructure gear.
j) Ascend 1st-level tech support was not much help on
this issue.
Has anyone else seen this sort of activity? I suspect
a bug in Ascend's microcode, since we did not notice this
prior to 5.0Ap13.
Would others that catch traps and keep logs of traps please
look for similar events? I will likely need confirmation
from another independent source to be able to present clear
and compelling evidence to Ascend.
Examples since 9/30/97 are shown below, in pairs. The last example
shown is highly unusual, since it is from a newly-installed Max, and
NO ONE was logged into or sending any traffic via ethernet to that
Max when the trap was issued, indicating that we do have a bug here,
rather than a security issue.
The traps listed below are from a Max 4004, running
5.0Ap13 (SNMP community strings blanked to protect
the innocent):
9/30/97 22:07:29 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
9/30/97 22:07:30 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 11:57:42 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 11:57:43 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 13:53:31 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 13:53:32 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 14:12:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 14:12:55 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 14:16:46 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 14:16:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 21:44:52 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 21:44:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 21:49:06 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97 21:49:07 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/8/97 18:36:38 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/8/97 18:36:39 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/9/97 12:20:10 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/9/97 12:20:11 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/9/97 12:23:20 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/9/97 12:23:21 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/19/97 00:40:21 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/19/97 00:40:22 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 09:03:19 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 09:03:20 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:02:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:02:48 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:10:07 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:10:08 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:37:29 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:37:31 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 17:36:11 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.3=3
10/22/97 17:36:12 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.3=3
10/24/97 21:16:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/24/97 21:16:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/26/97 21:40:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/26/97 21:40:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/27/97 19:01:43 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/27/97 19:01:44 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:39:52 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:39:52 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:45:59 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:45:59 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:47:58 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:47:59 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:01:44 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:01:44 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:02:40 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:02:41 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:04:01 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:04:02 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 15:21:00 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 15:21:01 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 16:49:12 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 16:49:12 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:12:26 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:12:26 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:24:03 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:24:04 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:48:09 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:48:09 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/1/97 12:15:45 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/1/97 12:15:46 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/2/97 14:31:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/2/97 14:31:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/3/97 20:40:10 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/3/97 20:40:10 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/9/97 15:37:36 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/9/97 15:37:36 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
Here is the trap from a Max when no one was dialed in.
Logs from a snoop session show no traffic, other than
the SNMP trap itself.
This is from a Max 4048 running 5.0Ap33
11/9/97 17:59:41 Rocky-Ascend consoleStateChange, ent=ascend, comm=##,
consoleIndex.2=2
11/9/97 17:59:43 Rocky-Ascend consoleStateChange, ent=ascend, comm=##,
consoleIndex.2=2
It is easier to live up to one's reputation than to live one down
james fischer jfischer@supercollider.com
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>>
</PRE>
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<HR>
<UL>
<LI>Prev by Date:
<STRONG><A HREF="msg10594.html">(ASCEND) Pipeline 50 Config Question</A></STRONG>
</LI>
<LI>Next by Date:
<STRONG><A HREF="msg10593.html">(ASCEND) Routing Phone calls?</A></STRONG>
</LI>
<LI>Prev by thread:
<STRONG><A HREF="msg10593.html">(ASCEND) Routing Phone calls?</A></STRONG>
</LI>
<LI>Next by thread:
<STRONG><A HREF="msg10594.html">(ASCEND) Pipeline 50 Config Question</A></STRONG>
</LI>
<LI>Index(es):
<UL>
<LI><A HREF="maillist.html#10595"><STRONG>Main</STRONG></A></LI>
<LI><A HREF="thrd235.html#10595"><STRONG>Thread</STRONG></A></LI>
</UL>
</LI>
</UL>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</BODY>
</HTML>