[Snort-sigs] SSDP/uPnP signature

Steve Halligan agent33 at ...22...
Thu Dec 20 13:39:02 EST 2001


Since we don't really know what the exploit for
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-059.asp 
looks like, here is are a couple of rules to see ANY SSDP/uPnP traffic.  You
really shouldn't be seeing this kind of traffic on the outside of your
firewall.

alert udp any any -> any 1900 (msg:"SSDP-uPnP traffic";
content:"ssdp\:alive"; nocase; reference: cve,CAN-2001-0876; reference:
cve,CAN-2001-0877; classtype:bad-unknown; priority:2; sid:1000001;)
alert udp any any -> any 5000 (msg:"SSDP-uPnP traffic";
content:"ssdp\:alive"; nocase; reference: cve,CAN-2001-0876; reference:
cve,CAN-2001-0877; classtype:bad-unknown; priority:2; sid:1000002;)

Not tested, thrown together based on theory, use at you own risk, blah blah
blah

-Steve




More information about the Snort-sigs mailing list