Thu Nov 23 16:34:03 EST 2017
M-SEARCH * HTTP/1.1
ST: ge:fridge <-----Gimme a break.
> All uses of UPNP are probably bad, but I havn't turned on logging for
> it yet. BTW, port 5000 on my XP box isn't listening. Anyone
> know how
> they differ?
MS metioned filtering ports 1900 and 5000 at the firewall so I assumed that
it had something to do with it.
*shrug* I have seen it on 1900 and have nothing on 5000 on either of my XP
> Oh, the sig I've generated for now...
> (if this triggers, please send me the packet :P)
> alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP
> malformed advertisement"; content:"NOTIFY * "; nocase;
> offset:0; depth:8; classtype:misc-attack;
> reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877;
> sid:1384; rev:1;)
> I'll get a life when someone demonstrates that it would be
> superior to
> what I have now.
More information about the Snort-sigs