RE: SNMP Traffic over spoolsv.exe ?
From: Darren Augi (daugi_at_optonline.net)
Date: 09/14/03
- Previous message: Ryan Nowakowski: "Re: File Encryption - Laptop"
- In reply to: David Gillett: "RE: SNMP Traffic over spoolsv.exe ?"
- Next in thread: jamesworld_at_intelligencia.com: "Re: SNMP Traffic over spoolsv.exe ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Sep 2003 23:00:39 -0400 To: gillettdavid@fhda.edu, 'Nick Duda' <nduda@VistaPrint.com>, security-basics@securityfocus.com
I agree based on the output it appears to be a get request with "public" as
the community string. HP jet direct uses this to find printers and manage
them.
My 2 cents...
Darren
-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu]
Sent: Thursday, September 11, 2003 3:40 PM
To: 'Nick Duda'; security-basics@securityfocus.com
HP loves to use SNMP to talk to their networked printers,
presumably from within the printer driver code which spoolsv
would be likely to call.
David Gillett
> -----Original Message-----
> From: Nick Duda [mailto:nduda@VistaPrint.com]
> Sent: September 11, 2003 06:05
> To: security-basics@securityfocus.com
> Subject: SNMP Traffic over spoolsv.exe ?
>
>
> This seems odd.... Snort is reporting every 5 minutes one of
> our internal PC's generating SNMP traffic to a private IP
> that is not part of our network. The thing is , SNMP isn't
> running on the system and the source port is coming from
> spoolsv.exe (print spooler). Here is a verbose of tcpdump, any ideas?
>
> 08:56:02.499840 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
> 08:56:08.516713 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
> 08:56:14.517659 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
> 08:56:20.519120 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
>
> Here is snort output
> SNMP public access udp alert
>
> 30 4B 02 01 00 04 06 70 75 62 6C 69 63 A0 3E 02 0K.....public.>.
> 01 07 02 01 00 02 01 00 30 33 30 0F 06 0B 2B 06 ........030...+.
> 01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B 2B ...........0...+
> 06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06 0B ............0...
> 2B 06 01 02 01 19 03 05 01 02 01 05 00 +............
>
> 0K.....public.>.........030...+............0...+............0.
> ..+............
>
> - Nick
>
> --------------------------------------------------------------
> -------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> --------------------------------------------------------------
> --------------
>
---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Precisely Define and Implement Network Security
- Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
- Previous message: Ryan Nowakowski: "Re: File Encryption - Laptop"
- In reply to: David Gillett: "RE: SNMP Traffic over spoolsv.exe ?"
- Next in thread: jamesworld_at_intelligencia.com: "Re: SNMP Traffic over spoolsv.exe ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
