[Snort-sigs] SSDP/uPnP signature

Brian bmc at ...95...
Thu Dec 20 15:18:02 EST 2001


According to Steve Halligan:
> Since we don't really know what the exploit for
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS01-059.asp 
> looks like, here is are a couple of rules to see ANY SSDP/uPnP traffic.  You
> really shouldn't be seeing this kind of traffic on the outside of your
> firewall.
> 
> alert udp any any -> any 1900 (msg:"SSDP-uPnP traffic";
> content:"ssdp\:alive"; nocase; reference: cve,CAN-2001-0876; reference:
> cve,CAN-2001-0877; classtype:bad-unknown; priority:2; sid:1000001;)
> alert udp any any -> any 5000 (msg:"SSDP-uPnP traffic";
> content:"ssdp\:alive"; nocase; reference: cve,CAN-2001-0876; reference:
> cve,CAN-2001-0877; classtype:bad-unknown; priority:2; sid:1000002;)

Actually, the sending query doesn't have to use alive.  SSDP/uPnP
seems to be a hacked up httpd running over UDP.  I've submitted
queries that don't include that line that seem to work just fine.
(Not that I am an expert in uPnP)  

All uses of UPNP are probably bad, but I havn't turned on logging for
it yet.  BTW, port 5000 on my XP box isn't listening.  Anyone know how 
they differ?

Oh, the sig I've generated for now... 

(if this triggers, please send me the packet :P)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP malformed advertisement"; content:"NOTIFY * "; nocase; offset:0; depth:8; classtype:misc-attack; reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877; sid:1384; rev:1;)

-- 
I'll get a life when someone demonstrates that it would be superior to 
what I have now.





More information about the Snort-sigs mailing list