No subject


Thu Nov 23 16:34:03 EST 2017


4.2.1.1.  Example 
    
   M-SEARCH * HTTP/1.1 
   S: uuid:ijklmnop-7dec-11d0-a765-00a0c91e6bf6 
   Host: 239.255.255.250:reservedSSDPport 
   Man: "ssdp:discover" 
   ST: ge:fridge <-----Gimme a break.
   MX: 3
> 
> All uses of UPNP are probably bad, but I havn't turned on logging for
> it yet.  BTW, port 5000 on my XP box isn't listening.  Anyone 
> know how 
> they differ?

MS metioned filtering ports 1900 and 5000 at the firewall so I assumed that
it had something to do with it.
*shrug*  I have seen it on 1900 and  have nothing on 5000 on either of my XP
boxes.

> 
> Oh, the sig I've generated for now... 
> 
> (if this triggers, please send me the packet :P)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP 
> malformed advertisement"; content:"NOTIFY * "; nocase; 
> offset:0; depth:8; classtype:misc-attack; 
> reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877; 
> sid:1384; rev:1;)
> 
> -- 
> I'll get a life when someone demonstrates that it would be 
> superior to 
> what I have now.
> 




More information about the Snort-sigs mailing list