From owner-freebsd-questions  Mon Jan 27  8: 4:19 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E6ED037B401
	for <freebsd-questions@FreeBSD.ORG>; Mon, 27 Jan 2003 08:04:17 -0800 (PST)
Received: from out002.verizon.net (out002pub.verizon.net [206.46.170.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 321D943F5F
	for <freebsd-questions@FreeBSD.ORG>; Mon, 27 Jan 2003 08:04:17 -0800 (PST)
	(envelope-from cswiger@mac.com)
Received: from mac.com ([129.44.40.4]) by out002.verizon.net
          (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with ESMTP
          id <20030127160416.ESCB7656.out002.verizon.net@mac.com>
          for <freebsd-questions@FreeBSD.ORG>;
          Mon, 27 Jan 2003 10:04:16 -0600
Message-ID: <3E355875.5000106@mac.com>
Date: Mon, 27 Jan 2003 11:04:05 -0500
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3a) Gecko/20021212
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG
Subject: Re: snmp probe?
References: <DAV67gCVmRDgcFObuIh00017bf0@hotmail.com>
In-Reply-To: <DAV67gCVmRDgcFObuIh00017bf0@hotmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out002.verizon.net from [129.44.40.4] at Mon, 27 Jan 2003 10:04:16 -0600
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Kenzo wrote:
[ ... ]
> portsentry[236]: attackalert: Connect from host: 10.x.x.x/10.x.x.x to UDP
> port: 161
> 
> That's the snmp port. the address that it's comming from is just a
> workstation. Now why would a regular workstation probe me on the snmp port?

A human programmed it to do so, most likely.

> What could it be?

If you tell us what OS and software the workstation is running, we could 
probably make more useful suggestions.

> Is it a program on the computer trying to look for a device on the network
> like a jetdirect?

That's very probable.

> Or virus, trojan trying to spread?"

Much less likely, but still possible, I guess.

> I guess I just want to know why it's doing this, and how to prevent it.

Disconnect the workstation from the network?
Configure the workstation to perform packet filtering of 168/169?
Determine which software is causing the and change it?

-Chuck


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message