Snort mailing list archives

Anyone recognize this packet?

From: David Bianco <bianco () jlab org>
Date: Wed, 3 Apr 2002 07:44:56 -0500

Rich Adamson writes:


We're seeing a few internal workstations (behind a firewall) originating
packets with the contents like:

 "SEARCH * HTTP/1.1 HOST 239.255.255.255:1900<crlf>MAN "ssdp:discovery"<lf>
 MX: 3<crlf>ST: urn:schemas-upnp-org:service:WANIPConnection:1<crlf>

The packets were observed being sent to the workstation's default gateway
(happens to be a Bay BLN router) with a destination port of udp-1900, as
observed with an NAI Sniffer. The router is not configured to support
multicasting.

Anyone seen these or have any idea what might be generating the query/scan?


It's some host (probably a Windows 2000 or maybe XP machine) using
Universal Plug-n-Play.  You can find more info at
http://www.upnp.org/.  There were some major security flaws associated
with the use of UPNP, but I don't know just from this one example if
this is an exploit or a legit request, but I suspect it's legit if it's 
only going between a host and its router.

     David

-- 
David J. Bianco, GSEC           <bianco () jlab org>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Anyone recognize this packet? Rich Adamson (Apr 03)
- Anyone recognize this packet? David Bianco (Apr 03)
- <Possible follow-ups>
- RE: Anyone recognize this packet? Kjetil Laasby (Apr 03)