RE: SCAN UPnP service discover attempt

["Bruyere, Michel" <mbruyere () ezemcanada com>]

Hi There, 

<snip> 
> Greetings,
>
>    There are two hosts on this network that every 5 seconds or so cause
> snort to alert
>
>            [**] [1:1917:4] SCAN UPnP service discover attempt [**]
>            [Classification: Detection of a Network Scan] [Priority: 3]
>             ...........
>
>
> each alert is repeated 3 times from each host to the same destination
> (the gateway router on this network)
>
> Both of the hosts are running Windows XP and Snort is running on
> Slackware 9.0.0
<snip>

Just disable the ssdp service on the Windows XP and it will stop the
discovery process. UPNP is the new Universal plug and play feature (thanks
again M$) that try to discover new hardware on the LAN. For more information
on this subject you can get an eye on http://grc.com/unpnp/unpnp.htm

My 0.02$

 

M. Bruyere



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users