[Snort-users] SCAN UPnP service discover attempt

Bruyere, Michel mbruyere at ...8851...
Wed Jun 4 07:43:35 EDT 2003

Hi There, 

> Greetings,
>    There are two hosts on this network that every 5 seconds or so cause
> snort to alert
>            [**] [1:1917:4] SCAN UPnP service discover attempt [**]
>            [Classification: Detection of a Network Scan] [Priority: 3]
>             ...........
> each alert is repeated 3 times from each host to the same destination
> (the gateway router on this network)
> Both of the hosts are running Windows XP and Snort is running on
> Slackware 9.0.0

Just disable the ssdp service on the Windows XP and it will stop the
discovery process. UPNP is the new Universal plug and play feature (thanks
again M$) that try to discover new hardware on the LAN. For more information
on this subject you can get an eye on http://grc.com/unpnp/unpnp.htm

My 0.02$


M. Bruyere

More information about the Snort-users mailing list