Snort mailing list archives
Anyone recognize this packet?
From: David Bianco <bianco () jlab org>
Date: Wed, 3 Apr 2002 07:44:56 -0500
Rich Adamson writes:
We're seeing a few internal workstations (behind a firewall) originating packets with the contents like: "SEARCH * HTTP/1.1 HOST 239.255.255.255:1900<crlf>MAN "ssdp:discovery"<lf> MX: 3<crlf>ST: urn:schemas-upnp-org:service:WANIPConnection:1<crlf> The packets were observed being sent to the workstation's default gateway (happens to be a Bay BLN router) with a destination port of udp-1900, as observed with an NAI Sniffer. The router is not configured to support multicasting. Anyone seen these or have any idea what might be generating the query/scan?
It's some host (probably a Windows 2000 or maybe XP machine) using Universal Plug-n-Play. You can find more info at http://www.upnp.org/. There were some major security flaws associated with the use of UPNP, but I don't know just from this one example if this is an exploit or a legit request, but I suspect it's legit if it's only going between a host and its router. David -- David J. Bianco, GSEC <bianco () jlab org> Thomas Jefferson National Accelerator Facility The views expressed herein are soley those of the author and not those of SURA/Jefferson Lab or the US DOE. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone recognize this packet? Rich Adamson (Apr 03)
- Anyone recognize this packet? David Bianco (Apr 03)
- <Possible follow-ups>
- RE: Anyone recognize this packet? Kjetil Laasby (Apr 03)