Snort mailing list archives

RE: Anyone recognize this packet?

From: "Kjetil Laasby" <Kjetil () laasby com>
Date: Wed, 3 Apr 2002 14:30:15 +0200

It's the famous UPNP (Windows XP) that's searching for SSDP Servers
(multicasting). 

See : http://www.upnp.org/

SSDP uses udp 1900 and tcp (or is it udp) 5000.

There are vuln's with it - See :
http://www.cert.org/advisories/CA-2001-37.html

Regards,
Kjetil Laasby

-----Original Message-----
From: Rich Adamson [mailto:radamson () routers com] 
Sent: 3. april 2002 13:32
To: Snort Users Postings
Subject: [Snort-users] Anyone recognize this packet?


We're seeing a few internal workstations (behind a firewall) originating
packets with the contents like:

 "SEARCH * HTTP/1.1 HOST 239.255.255.255:1900<crlf>MAN
"ssdp:discovery"<lf>
 MX: 3<crlf>ST: urn:schemas-upnp-org:service:WANIPConnection:1<crlf>

The packets were observed being sent to the workstation's default
gateway
(happens to be a Bay BLN router) with a destination port of udp-1900, as
observed with an NAI Sniffer. The router is not configured to support
multicasting.

Anyone seen these or have any idea what might be generating the
query/scan?




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Anyone recognize this packet? Rich Adamson (Apr 03)
- Anyone recognize this packet? David Bianco (Apr 03)
- <Possible follow-ups>
- RE: Anyone recognize this packet? Kjetil Laasby (Apr 03)