Blackice Detecting TCP and UDP probes from printserver

Giganews Newsgroups
Subject: Blackice Detecting TCP and UDP probes from printserver
Posted by:  Ishmealm (Ishmea…@discussions.microsoft.com)
Date: Thu, 31 Aug 2006

Hi,
      I've got a user running Blackice and he's getting about 15,000 probes
a day from one of our print servers.  Everything that I've seen points to
someone maliciously running scans, but I don't think that this is the case
this time.  Is there any reason in the Window's world that a server would
probe a workstation?  I don't see anything in the event logs that corresponds
to the probe times and he doesn't use that print server.  Here's a sample of
the Blackice log:

Time, Event, Intruder, Count
8/24/2006 1:07:23 PM, UDP_Probe_SNMP, PRINT-37, 519
8/24/2006 1:08:22 PM, TCP_Probe_Other, PRINT-37, 10290
8/24/2006 7:32:57 PM, UDP_Probe_SNMP, PRINT-37, 564
8/24/2006 7:33:30 PM, TCP_Probe_Other, PRINT-37, 11382
8/25/2006 6:15:36 PM, UDP_Probe_SNMP, PRINT-37, 923
8/25/2006 6:16:09 PM, TCP_Probe_Other, PRINT-37, 20078
8/28/2006 7:20:15 PM, UDP_Probe_SNMP, PRINT-37, 1124
8/28/2006 7:22:11 PM, TCP_Probe_Other, PRINT-37, 21563
8/29/2006 8:19:34 AM, UDP_Probe_SNMP, PRINT-37, 75
8/29/2006 8:20:30 AM, TCP_Probe_Other, PRINT-37, 1914
8/29/2006 1:15:15 PM, UDP_Probe_SNMP, PRINT-37, 382
8/29/2006 1:15:41 PM, TCP_Probe_Other, PRINT-37, 8811

Replies