[Snort-users] Re: HP Jetdirect Printers and portscans

Rich Adamson radamson at ...2127...
Fri Jun 29 16:00:23 EDT 2001

> Since the subject came up (again) ... does anyone know how to get the users' pc's
> to stop doing SNMP scans for HP printers? ... all the printers our users need are
> already installed in their "printers" window.

As someone else mentioned, the JetAdmin utilities will do this, however simply
installing an HP print driver on a Windows machine will also do it. One of the
HP *.dll's will scan all IP's within the netmask defined on the Windows machine,
looking for HP printers using snmp. As each IP address is checked, if that
address does not support snmp, an icmp port unreachable message is returned.
If it does find an HP printer, snmp is used to interrogate the features and
fonts supported by "that" remote printer. 

In stock Windows 95 systems, Microsoft distributed an overly aggressive *.dll
from HP that would go screaming through every IP address on a frequent basis.
If these machines were assigned IP's with a Class-B netmask, each machine would
check all 65,000 addresses, and it would take approximately 5 to 10 of the 
machines to fully consume an ethernet segment causing very poor performance. 
(The JetAdmin utilities were not actually installed on any of these machines.)
HP subsequently provided a replacement *.dll file that was significantly less
aggressive. Some HP drivers still use that same approach on an IP-only network,
so not sure you can actually remove it without killing the user's ability to
access those JetDirect printers.

Given the above, you should be able to find something on HP's web site that
discusses this, which will lead you to exactly which files initiates the 
scans, etc.


More information about the Snort-users mailing list