[Snort-sigs] SSDP/uPnP signature

Steve Halligan agent33 at ...22...
Thu Dec 20 16:17:01 EST 2001


> Actually, the sending query doesn't have to use alive.  SSDP/uPnP
> seems to be a hacked up httpd running over UDP.  I've submitted
> queries that don't include that line that seem to work just fine.
> (Not that I am an expert in uPnP)  

No it doesn't have to use alive, but it doesn't have to use NOTIFY either.
Both of eEye's sample headers used both alive and NOTIFY.  If we want to
catch
"attacks" that look like they samples they provided, either should be fine.
I was kinda thinking about catching ALL SSDP/uPnp traffic.  

Hrmmm, they all have the string "uuid" in them, maybe that would work.
Anyone on the list
know anything more about this protocol that can identify something that will
be in EVERY
packet?

All this freaking trouble so we can program our 'fridges and
toasters...sheesh.


More information about the Snort-sigs mailing list