[Snort-users] HP Printers - SNMP Public Access udp

Mark.Schutzmann at ...10438... Mark.Schutzmann at ...10438...
Tue Nov 18 10:53:17 EST 2003


Bob,

This is normal traffic on a network that has a lot of HP Printers, because
the client's driver uses SNMP to determine the printer's extended status.
Usually the default SNMP password on these printers is Public and on some
non-HP printers it cannot be changed. I've actually written a rule to
detect new (rogue) printers when they come online. I did this by allowing
known corporate printers that are all within a certain IP range to have a
pass rule.

Regards,
Mark


                                                                                                                                                  
                      bdushok at ...10589...                                                                                                         
                      Sent by:                            To:       snort-users at lists.sourceforge.net                                             
                      snort-users-admin at ...4626...        cc:                                                                                     
                      ceforge.net                         Subject:  [Snort-users] HP Printers - SNMP Public Access udp                            
                                                                                                                                                  
                                                                                                                                                  
                      11/18/2003 11:29 AM                                                                                                         
                                                                                                                                                  
                                                                                                                                                  





I'm new to Snort and have been tweaking my configuration for the past
couple of weeks.  I've been noticing a LOT of "SNMP Public Access udp"
alerts being generated.  They appear to be caused by clients (appear to be
Win2K) connecting to HP Printers containing Jet Direct cards.  I was
considering writing pass rules to avoid these alerts, but am wondering if
that's a good idea.  Has anyone seen this sort of network activity?  Does
it indicate something configured incorrectly either on the client or with
the Jet Direct unit?

Any suggestions would be appreciated.

Thanks,
Bob








More information about the Snort-users mailing list