Re: SNMP Traffic over spoolsv.exe ?
jamesworld_at_intelligencia.com
Date: 09/16/03
- Previous message: Ansgar Wiechers: "Re: File Encryption - Laptop"
- Maybe in reply to: Nick Duda: "SNMP Traffic over spoolsv.exe ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Sep 2003 20:55:25 -0500 To: "Nick Duda" <nduda@VistaPrint.com>
Nick,
I see this quite a bit and have experienced it first hand on a few
laptops. Check the machine and see if there are any printers added that
are LPR to the other address. I have traced my packets down to the machine
wanting to get status updates from the printer (# of documents, toner
level, on-line status, etc)
If you don't see this to be the case and let me know.
-James
At 08:05 09/11/2003, Nick Duda wrote:
>This seems odd.... Snort is reporting every 5 minutes one of our internal
>PC's generating SNMP traffic to a private IP that is not part of our
>network. The thing is , SNMP isn't running on the system and the source
>port is coming from spoolsv.exe (print spooler). Here is a verbose of
>tcpdump, any ideas?
>
>08:56:02.499840 x.x.x.x.1159 >
>192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1
>.1.3.6.1.2.1.25.3[|snmp]
>08:56:08.516713 x.x.x.x.1159 >
>192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1
>.1.3.6.1.2.1.25.3[|snmp]
>08:56:14.517659 x.x.x.x.1159 >
>192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1
>.1.3.6.1.2.1.25.3[|snmp]
>08:56:20.519120 x.x.x.x.1159 >
>192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1
>.1.3.6.1.2.1.25.3[|snmp]
>
>Here is snort output
> SNMP public access udp alert
>
>30 4B 02 01 00 04 06 70 75 62 6C 69 63 A0 3E 02 0K.....public.>.
>01 07 02 01 00 02 01 00 30 33 30 0F 06 0B 2B 06 ........030...+.
>01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B 2B ...........0...+
>06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06 0B ............0...
>2B 06 01 02 01 19 03 05 01 02 01 05 00 +............
>
>0K.....public.>.........030...+............0...+............0...+............
>
>- Nick
>
>---------------------------------------------------------------------------
>Captus Networks
>Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
>FIND OUT NOW - FREE Vulnerability Assessment Toolkit
>http://www.captusnetworks.com/ads/42.htm
>----------------------------------------------------------------------------
---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Precisely Define and Implement Network Security
- Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
- Previous message: Ansgar Wiechers: "Re: File Encryption - Laptop"
- Maybe in reply to: Nick Duda: "SNMP Traffic over spoolsv.exe ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
