[Snort-users] SCAN UPnP service discover attempt

Schmehl, Paul L pauls at ...6838...
Wed Jun 4 08:49:09 EDT 2003

Unless you really use it, I would disable the UPnP service entirely (as
well as the SSDP service.)  I wrote an article for Securityfocus [0]
about the buffer overflow that eEye found in SSDP (announced right after
the launch of XP), and the potential for exploitation of this service is
scary.  Microsoft appears to have given very little thought to the
potential for hacking this service.

The UPnP service is not started by default, however the SSDP service is.
I would disable both and have on every machine I use.

[0] http://www.securityfocus.com/infocus/1548

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

-----Original Message-----
From: Joerg Weber [mailto:j.weber at ...8292...] 
Sent: Wednesday, June 04, 2003 9:34 AM
To: SnortUsers
Subject: Re: [Snort-users] SCAN UPnP service discover attempt

Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
for some info about the UPnP service and bugs within it.

More information about the Snort-users mailing list