[Snort-users] UPnP service discover attempt

bmcdowell at ...7861... bmcdowell at ...7861...
Thu Jun 5 08:37:12 EDT 2003

This seems to be a timely topic.  I wonder if MS has changed the way something behaves.  Maybe an update?  Are those of you that are seeing this using Windows Update or SUS?

Maybe the rule should be addressed to accommodate whatever has recently changed (but don't ask _me_ how).  Just my two cents.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Mark
Sent: Wednesday, June 04, 2003 10:12 AM
To: snort
Subject: [Snort-users] UPnP service discover attempt


    There are two hosts on this network that every 5 seconds or so cause 
snort to alert

            [**] [1:1917:4] SCAN UPnP service discover attempt [**]
            [Classification: Detection of a Network Scan] [Priority: 3]

each alert is repeated 3 times from each host to the same destination 
(the gateway router on this network)

Both of the hosts are running Windows XP and Snort is running on 
Slackware 9.0.0

I see on the snort.org site what this is SID:1917 - but the part that 
troubles me is the False Positive and False Negative sections -

        False Positives: A scanner may be used in a security audit.
        False Negatives: None Known.

If this is the case why am i seeing these hosts "ticking" like this? 

Any help on this matter would be much appreciated, I've rtfm and googled 
and checked the mail archive yet i find no answers to my quandry.

Thanks again,


This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list