[Snort-sigs] false positive for ID # 1917

Adam C. Knepprath Adam.Knepprath at ...669...
Wed Aug 4 13:38:05 EDT 2004

Rule: SCAN UPnP service discover attempt    

Sid: 1917

Summary: False positive for ID # 1917 is caused by Windows XP machines existing in a workgroup.

Impact: none

Detailed Information: When XP machines are not joined in a domain they send out these UPnP requests to find neighbors and network devices, like printers. This shows up as a SCAN of the service, but since its legitimate traffic, it shouldnt be considered an attack.

Affected Systems: Windows XP machines on a network unjoined to a domain.

Attack Scenarios: n/a

Ease of Attack: n/a

False Positives: noted above

False Negatives: n/a

Corrective Action: not sure

Contributors: Adam Knepprath Adam.Knepprath at ...667...
		  Kevin Miller Kevin.Miller at ...667...

Additional References:

		Adam Knepprath, CCNA
		Network / System Administrator
		Exceptional Software Strategies, Inc. 
		An 8(a) certified company 
		Adam.Knepprath at ...669... 
		410-694-0240 Office ext.109
		410-694-0245 Fax 

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004

More information about the Snort-sigs mailing list