Snort mailing list archives
RE: SCAN UPnP service discover attempt
From: "Thomas T. Evans, III" <ttevans () hawkcorp net>
Date: Wed, 4 Jun 2003 11:21:19 -0400
Mark: XP is a big fan of UPnP scanning and I have one machine that refuses to stop. There is a Q article somewhere on steps you can take to disable it, but in our case, the machine refused to cooperate. Thomas T. Evans, III CCNA Senior Network Manager Hawk Corporation ttevans () hawkcorp net 216-267-7787 Ext. 500 Cell: 440-669-2526 Fax: 917-464-7241 President, MFG/Pro Midwest User Group -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Mark Williamson Sent: Wednesday, June 04, 2003 11:18 AM To: snort Subject: [Snort-users] SCAN UPnP service discover attempt Greetings, There are two hosts on this network that every 5 seconds or so cause snort to alert [**] [1:1917:4] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] ........... each alert is repeated 3 times from each host to the same destination (the gateway router on this network) Both of the hosts are running Windows XP and Snort is running on Slackware 9.0.0 I see on the snort.org site what this is SID:1917 - but the part that troubles me is the False Positive and False Negative sections - False Positives: A scanner may be used in a security audit. False Negatives: None Known. If this is the case why am i seeing these hosts "ticking" like this? Any help on this matter would be much appreciated, I've rtfm and googled and checked the mail archive yet i find no answers to my quandry. Thanks again, Mark ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- RE: SCAN UPnP service discover attempt Thomas T. Evans, III (Jun 04)
- Re: SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- Re: SCAN UPnP service discover attempt Joerg Weber (Jun 04)
- <Possible follow-ups>
- RE: SCAN UPnP service discover attempt Bruyere, Michel (Jun 04)
- Re: SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- Re: SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- RE: SCAN UPnP service discover attempt Schmehl, Paul L (Jun 04)
- RE: SCAN UPnP service discover attempt bmcdowell (Jun 04)
- RE: SCAN UPnP service discover attempt Garrett . Allen (Jun 04)
- RE: SCAN UPnP service discover attempt Thomas T. Evans, III (Jun 04)