[Snort-sigs] UPnP Rules

Andrew Rucker Jones arjones at ...1200...
Tue Jan 21 22:02:13 EST 2003

Hi all!
     First of all, please include a direct reply to me, as i am not 
subscribed to the list.
     I was looking at the UPnP rules in the most recent Snort rulesets 
for 1.9.0 (the stable ones), and they seem to me to be out of order. The 
headers on SIDs 1384 and 1388 are identical, so they will be applied in 
the order listed, which is to say "NOTIFY * " will be detected before a 
"Location" overflow. I would think it very possible that the buffer 
overflow attack would include "NOTIFY * ", thus triggering the 
"malformed advertisement" rule and skipping the "Location overflow" 
rule. In my opinion, the overflow rule is more important and less likely 
to trigger than the "NOTIFY * " rule. Can anyone set me straight on 
this, or should the two be swapped?
     Also, after reviewing the now long-expired Internet Draft on SSDP, 
it seems that "NOTIFY * " is perfectly legal, and in fact expected 
behaviour. It is used for service advertisements. Shouldn't the message 
text for SID 1384 be something different, like "UPNP advertisement"? The 
word "malformed" bothers me.
     All submitted for Your approval and awaiting any responses, 
positive or negative.


GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.

More information about the Snort-sigs mailing list