[Snort-users] SCAN UPnP service discover attempt

Mark Williamson snortuser at ...9376...
Wed Jun 4 07:20:11 EDT 2003


   There are two hosts on this network that every 5 seconds or so cause 
snort to alert

           [**] [1:1917:4] SCAN UPnP service discover attempt [**]
           [Classification: Detection of a Network Scan] [Priority: 3]

each alert is repeated 3 times from each host to the same destination 
(the gateway router on this network)

Both of the hosts are running Windows XP and Snort is running on 
Slackware 9.0.0

I see on the snort.org site what this is SID:1917 - but the part that 
troubles me is the False Positive and False Negative sections -

       False Positives: A scanner may be used in a security audit.
       False Negatives: None Known.

If this is the case why am i seeing these hosts "ticking" like this?
Any help on this matter would be much appreciated, I've rtfm and googled 
and checked the mail archive yet i find no answers to my quandry.

Thanks again,


More information about the Snort-users mailing list