Security Basics mailing list archives
RE: SNMP Traffic over spoolsv.exe ?
From: Darren Augi <daugi () optonline net>
Date: Sat, 13 Sep 2003 23:00:39 -0400
I agree based on the output it appears to be a get request with "public" as the community string. HP jet direct uses this to find printers and manage them. My 2 cents... Darren -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Thursday, September 11, 2003 3:40 PM To: 'Nick Duda'; security-basics () securityfocus com HP loves to use SNMP to talk to their networked printers, presumably from within the printer driver code which spoolsv would be likely to call. David Gillett
-----Original Message----- From: Nick Duda [mailto:nduda () VistaPrint com] Sent: September 11, 2003 06:05 To: security-basics () securityfocus com Subject: SNMP Traffic over spoolsv.exe ? This seems odd.... Snort is reporting every 5 minutes one of our internal PC's generating SNMP traffic to a private IP that is not part of our network. The thing is , SNMP isn't running on the system and the source port is coming from spoolsv.exe (print spooler). Here is a verbose of tcpdump, any ideas? 08:56:02.499840 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:08.516713 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:14.517659 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:20.519120 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] Here is snort output SNMP public access udp alert 30 4B 02 01 00 04 06 70 75 62 6C 69 63 A0 3E 02 0K.....public.>. 01 07 02 01 00 02 01 00 30 33 30 0F 06 0B 2B 06 ........030...+. 01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B 2B ...........0...+ 06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06 0B ............0... 2B 06 01 02 01 19 03 05 01 02 01 05 00 +............ 0K.....public.>.........030...+............0...+............0. ..+............ - Nick -------------------------------------------------------------- ------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- SNMP Traffic over spoolsv.exe ? Nick Duda (Sep 11)
- RE: SNMP Traffic over spoolsv.exe ? David Gillett (Sep 11)
- RE: SNMP Traffic over spoolsv.exe ? Darren Augi (Sep 15)
- <Possible follow-ups>
- Re: SNMP Traffic over spoolsv.exe ? jamesworld (Sep 16)
- RE: SNMP Traffic over spoolsv.exe ? David Gillett (Sep 11)