Security Basics mailing list archives
Re: SNMP Traffic over spoolsv.exe ?
From: jamesworld () intelligencia com
Date: Mon, 15 Sep 2003 20:55:25 -0500
Nick,I see this quite a bit and have experienced it first hand on a few laptops. Check the machine and see if there are any printers added that are LPR to the other address. I have traced my packets down to the machine wanting to get status updates from the printer (# of documents, toner level, on-line status, etc)
If you don't see this to be the case and let me know. -James At 08:05 09/11/2003, Nick Duda wrote:
This seems odd.... Snort is reporting every 5 minutes one of our internal PC's generating SNMP traffic to a private IP that is not part of our network. The thing is , SNMP isn't running on the system and the source port is coming from spoolsv.exe (print spooler). Here is a verbose of tcpdump, any ideas?08:56:02.499840 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:08.516713 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:14.517659 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp] 08:56:20.519120 x.x.x.x.1159 > 192.168.0.150.snmp: GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]Here is snort output SNMP public access udp alert 30 4B 02 01 00 04 06 70 75 62 6C 69 63 A0 3E 02 0K.....public.>. 01 07 02 01 00 02 01 00 30 33 30 0F 06 0B 2B 06 ........030...+. 01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B 2B ...........0...+ 06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06 0B ............0... 2B 06 01 02 01 19 03 05 01 02 01 05 00 +............ 0K.....public.>.........030...+............0...+............0...+............ - Nick --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
Current thread:
- SNMP Traffic over spoolsv.exe ? Nick Duda (Sep 11)
- RE: SNMP Traffic over spoolsv.exe ? David Gillett (Sep 11)
- RE: SNMP Traffic over spoolsv.exe ? Darren Augi (Sep 15)
- <Possible follow-ups>
- Re: SNMP Traffic over spoolsv.exe ? jamesworld (Sep 16)
- RE: SNMP Traffic over spoolsv.exe ? David Gillett (Sep 11)