[Snort-sigs] report of false positives for "SCAN UPnP service discover attempt" rule

Nigel Houghton nigel at ...435...
Wed Jun 9 13:06:02 EDT 2004

On  0, Daniel Surdu <daniel_surdu at ...12...> allegedly wrote:
> # This is a report of false positives with regard to the following rule
> #
> Rule:
> SCAN UPnP service discover attempt
> --
> Sid:
> 1917
> --
> Summary:
> This alert is reported very often on my network composed entirely of 
> Windows 2000 Profesional systems, which do not have the UPnp service as in 
> the case of Windows XP.
> --
> Impact:
> High
> --
> Detailed Information:
> --
> Affected Systems:
> Windows 2000
> --
> False Positives:
> Although Windows 2000 has no Upnp support, alerts are generated 
> continuously, every 30 to 60 min.
> I found an article detailing the fact that "MSN Messenger Sends Endless 
> UPnP Packets"
> and this is the case on my network where all my users use MSN (all desktop 
> systems on my network are Windows 2000 Pro) --> see complete article below
> --
> Additional References:
> http://www.winnetmag.com/Article/ArticleID/24664/24664.html

I fail to see why this is a false positive. The rule looks for UPnP
scanning activity which is what is happening with MSN Messenger. Granted,
this may not be the prelude to an attack but if you set your $EXTERNAL_NET
and $HOME_NET variables correctly, this event should disappear. If it does
not, I suggest you start looking at your firewall configuration.

On the other hand, the attack scenario in the related sid documentation is
not related to the rule, this will be changed.

Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list