I think your close. But suspect the hp jetdirect admin software. It can be used to query the network looking for hp jetdirect cards that have not been configured. Donald.Smithat_private GCIA QIS/WWN Security http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint: 9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC > -----Original Message----- > From: Michael Roberts [mailto:mrobertsat_private] > Sent: Thursday, January 23, 2003 11:17 AM > To: keithpat_private; iscat_private > Cc: incidentsat_private > Subject: Re: SNMP Weirdness > > > I believe this traffic is being generated by a Hewlett Packard > JetDirect. The ones I have used are programmed with this IP > address as > the factory default and I have also seem them generate SNMP traffic as > well. > > Just an education guess, but at least somewhere you can start. > > Michael Roberts, MCNE, MCSA, CCA > Director of Network Services > Consolidated Health Systems > Highlands Regional Medical Center > > > >>> "Keith Pachulski" <keithpat_private> 01/20/03 02:10PM >>> > Has anyone seen this behavior, if so care to share the details > > I orginally saw these from an internal firewall, after setting up a > snort to grab the traffic I logged the following: > > [**] weirdness ensues [**] > 01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161 > UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265 > Len: 245 > 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public.. > DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0.. > 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+. > 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+.... > 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+....... > 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........ > 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+......... > 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+......... > 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+....... > 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+..... > 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+... > 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+. > 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+ > 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0... > 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............ > > I have a few internal machines sending the same queries to the same > address. > > Name: > 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net > Address: 192.0.0.192 > > |Keith A. Pachulski, PPS, GCIH, GCFW | IATFF Member| InfraGard Member| > |PenTeleData/Prolog Internet Services | Network Security Engineer| > |Phone: (800) 281-3564 x 2454 | Pager: 8884414569at_private| > |6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0| > |"In God We Trust - - - All Others We Monitor"| > |--- United States Navy Intelligence| > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 07:15:25 PST