[Snort-users] SCAN UPnP service discover attempt

Garrett.Allen at ...8966... Garrett.Allen at ...8966...
Wed Jun 4 12:52:03 EDT 2003


i'm dealing with the same issue here.  we have shut the services off, but
still get 2 packets every 25 secs.  here is an article from ms site.
haven't tried the dink yet but .... hih

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b317843

thanks.
-----Original Message-----
From: bmcdowell at ...7861... [mailto:bmcdowell at ...7861...]
Sent: Wednesday, June 04, 2003 12:01 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] SCAN UPnP service discover attempt



Watch for MSN Messenger users trying to use anything other than IM (as in
voice, file transfer, etc.)  They have an article on why all of this uses
UPnP somewhere in their knowledgebase.

Personally, I'd just like to make UPnP work via conntrack in my iptables,
but that's another story.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Joerg Weber
Sent: Wednesday, June 04, 2003 10:34 AM
To: SnortUsers
Subject: Re: [Snort-users] SCAN UPnP service discover attempt


Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-059.asp
for some info about the UPnP service and bugs within it.

Hope I could help,

Joerg

> Greetings,
> 
>    There are two hosts on this network that every 5 seconds or so cause 
> snort to alert
> 
>            [**] [1:1917:4] SCAN UPnP service discover attempt [**]
>            [Classification: Detection of a Network Scan] [Priority: 3]
>             ...........

-- 
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.weber at ...8292...


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listzort-users





More information about the Snort-users mailing list