Snort mailing list archives
RE: UPnP service discover attempt
From: <bmcdowell () coxhealthplans com>
Date: Thu, 5 Jun 2003 10:38:30 -0500
This seems to be a timely topic. I wonder if MS has changed the way something behaves. Maybe an update? Are those of you that are seeing this using Windows Update or SUS? Maybe the rule should be addressed to accommodate whatever has recently changed (but don't ask _me_ how). Just my two cents. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Mark Williamson Sent: Wednesday, June 04, 2003 10:12 AM To: snort Subject: [Snort-users] UPnP service discover attempt Greetings, There are two hosts on this network that every 5 seconds or so cause snort to alert [**] [1:1917:4] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] ........... each alert is repeated 3 times from each host to the same destination (the gateway router on this network) Both of the hosts are running Windows XP and Snort is running on Slackware 9.0.0 I see on the snort.org site what this is SID:1917 - but the part that troubles me is the False Positive and False Negative sections - False Positives: A scanner may be used in a security audit. False Negatives: None Known. If this is the case why am i seeing these hosts "ticking" like this? Any help on this matter would be much appreciated, I've rtfm and googled and checked the mail archive yet i find no answers to my quandry. Thanks again, Mark ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UPnP service discover attempt Mark Williamson (Jun 05)
- <Possible follow-ups>
- RE: UPnP service discover attempt bmcdowell (Jun 05)
- RE: UPnP service discover attempt David Beeson (Jun 05)
- RE: UPnP service discover attempt David Beeson (Jun 06)
- RE: UPnP service discover attempt David Beeson (Jun 06)