[Snort-sigs] false positive for ID # 1917

Adam C. Knepprath Adam.Knepprath at ...669...
Wed Aug 4 13:38:05 EDT 2004


Rule: SCAN UPnP service discover attempt    


--
Sid: 1917

--
Summary: False positive for ID # 1917 is caused by Windows XP machines existing in a workgroup.

--
Impact: none

--
Detailed Information: When XP machines are not joined in a domain they send out these UPnP requests to find neighbors and network devices, like printers. This shows up as a SCAN of the service, but since its legitimate traffic, it shouldnt be considered an attack.

--
Affected Systems: Windows XP machines on a network unjoined to a domain.

--
Attack Scenarios: n/a

--
Ease of Attack: n/a

--
False Positives: noted above

--
False Negatives: n/a

--
Corrective Action: not sure

--
Contributors: Adam Knepprath Adam.Knepprath at ...667...
		  Kevin Miller Kevin.Miller at ...667...

-- 
Additional References:


		Adam Knepprath, CCNA
		  
		Network / System Administrator
		Exceptional Software Strategies, Inc. 
		An 8(a) certified company 
		Adam.Knepprath at ...669... 
		http://www.Exceptionalsoftware.com 
		410-694-0240 Office ext.109
		410-694-0245 Fax 



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004
 




More information about the Snort-sigs mailing list