I believe this traffic is being generated by a Hewlett Packard JetDirect. The ones I have used are programmed with this IP address as the factory default and I have also seem them generate SNMP traffic as well. Just an education guess, but at least somewhere you can start. Michael Roberts, MCNE, MCSA, CCA Director of Network Services Consolidated Health Systems Highlands Regional Medical Center >>> "Keith Pachulski" <keithpat_private> 01/20/03 02:10PM >>> Has anyone seen this behavior, if so care to share the details I orginally saw these from an internal firewall, after setting up a snort to grab the traffic I logged the following: [**] weirdness ensues [**] 01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161 UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265 Len: 245 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public.. DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0.. 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+. 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+.... 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+....... 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........ 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+......... 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+......... 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+....... 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+..... 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+... 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+. 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+ 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0... 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............ I have a few internal machines sending the same queries to the same address. Name: 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net Address: 192.0.0.192 |Keith A. Pachulski, PPS, GCIH, GCFW | IATFF Member| InfraGard Member| |PenTeleData/Prolog Internet Services | Network Security Engineer| |Phone: (800) 281-3564 x 2454 | Pager: 8884414569at_private| |6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0| |"In God We Trust - - - All Others We Monitor"| |--- United States Navy Intelligence| ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 06:20:29 PST