Security Basics mailing list archives
RE: SNMP Traffic over spoolsv.exe ?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 11 Sep 2003 12:39:46 -0700
HP loves to use SNMP to talk to their networked printers, presumably from within the printer driver code which spoolsv would be likely to call. David Gillett
-----Original Message----- From: Nick Duda [mailto:nduda () VistaPrint com] Sent: September 11, 2003 06:05 To: security-basics () securityfocus com Subject: SNMP Traffic over spoolsv.exe ? This seems odd.... Snort is reporting every 5 minutes one of our internal PC's generating SNMP traffic to a private IP that is not part of our network. The thing is , SNMP isn't running on the system and the source port is coming from spoolsv.exe (print spooler). Here is a verbose of tcpdump, any ideas? 08:56:02.499840 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:08.516713 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:14.517659 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:20.519120 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] Here is snort output SNMP public access udp alert 30 4B 02 01 00 04 06 70 75 62 6C 69 63 A0 3E 02 0K.....public.>. 01 07 02 01 00 02 01 00 30 33 30 0F 06 0B 2B 06 ........030...+. 01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B 2B ...........0...+ 06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06 0B ............0... 2B 06 01 02 01 19 03 05 01 02 01 05 00 +............ 0K.....public.>.........030...+............0...+............0. ..+............ - Nick -------------------------------------------------------------- ------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- SNMP Traffic over spoolsv.exe ? Nick Duda (Sep 11)
- RE: SNMP Traffic over spoolsv.exe ? David Gillett (Sep 11)
- RE: SNMP Traffic over spoolsv.exe ? Darren Augi (Sep 15)
- <Possible follow-ups>
- Re: SNMP Traffic over spoolsv.exe ? jamesworld (Sep 16)
- RE: SNMP Traffic over spoolsv.exe ? David Gillett (Sep 11)