Logs from a printer trying to communicate with lots of IP addresses
-
Hi guys,
I am gettings a lot of logs on Snort from a printer on the network. I tried to search, but I can't understand why this printer is trying to communicate a lot of IP addresses inside the network ( even people that don't use it ). Has any of you encountered this type of logs:
Sport 80 120:19 (http_inspect) MULTIPLE CONTENT LENGTH IN HTTP RESPONSENote: This printer is shared through windows print management and very few are people using it.
-
@Sal I would guess it's your Windows print management and not the actual printer...you can unplug it and only plug when you need it. The log entry could be router gossip!
-
@Sal said in Logs from a printer trying to communicate with lots of IP addresses:
Hi guys,
I am gettings a lot of logs on Snort from a printer on the network. I tried to search, but I can't understand why this printer is trying to communicate a lot of IP addresses inside the network ( even people that don't use it ). Has any of you encountered this type of logs:
Sport 80 120:19 (http_inspect) MULTIPLE CONTENT LENGTH IN HTTP RESPONSENote: This printer is shared through windows print management and very few are people using it.
Many of the HTTP_INSPECT rules are chatty and, in my humble opinion, close to being worthless in today's modern networks. There are so many devices and software applications that "violate" some sentence or paragraph of an RFC someplace and thus will trigger these HTTP_INSPECT rules. Rarely is the event actually malicious these days.
So I would be fully comfortable disabling that rule, or at the very least suppressing it for the address of your printer and the Windows server that is hosting it.
-
Thank you so much guys for your reply. I will go ahead a disable the rule.
