[Snort-users] SCAN UPnP service discover attempt

bmcdowell at ...7861... bmcdowell at ...7861...
Wed Jun 4 09:00:06 EDT 2003


Watch for MSN Messenger users trying to use anything other than IM (as in voice, file transfer, etc.)  They have an article on why all of this uses UPnP somewhere in their knowledgebase.

Personally, I'd just like to make UPnP work via conntrack in my iptables, but that's another story.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Joerg Weber
Sent: Wednesday, June 04, 2003 10:34 AM
To: SnortUsers
Subject: Re: [Snort-users] SCAN UPnP service discover attempt


Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp
for some info about the UPnP service and bugs within it.

Hope I could help,

Joerg

> Greetings,
> 
>    There are two hosts on this network that every 5 seconds or so cause 
> snort to alert
> 
>            [**] [1:1917:4] SCAN UPnP service discover attempt [**]
>            [Classification: Detection of a Network Scan] [Priority: 3]
>             ...........

-- 
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.weber at ...8292...




More information about the Snort-users mailing list