Snort mailing list archives
RE: SCAN UPnP service discover attempt
From: Garrett.Allen () ser com
Date: Wed, 4 Jun 2003 15:57:31 -0400
i'm dealing with the same issue here. we have shut the services off, but still get 2 packets every 25 secs. here is an article from ms site. haven't tried the dink yet but .... hih http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b317843 thanks. -----Original Message----- From: bmcdowell () coxhealthplans com [mailto:bmcdowell () coxhealthplans com] Sent: Wednesday, June 04, 2003 12:01 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] SCAN UPnP service discover attempt Watch for MSN Messenger users trying to use anything other than IM (as in voice, file transfer, etc.) They have an article on why all of this uses UPnP somewhere in their knowledgebase. Personally, I'd just like to make UPnP work via conntrack in my iptables, but that's another story. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Joerg Weber Sent: Wednesday, June 04, 2003 10:34 AM To: SnortUsers Subject: Re: [Snort-users] SCAN UPnP service discover attempt Hi Mark, I'm not exactly a windows expert, but as far as I know, do Windows XP clients by default look for what is called UPnP device descriptions via UPnP. That's why you'r seeing these alerts IMO. Have a look at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-059.asp for some info about the UPnP service and bugs within it. Hope I could help, Joerg
Greetings,
There are two hosts on this network that every 5 seconds or so cause
snort to alert
[**] [1:1917:4] SCAN UPnP service discover attempt [**]
[Classification: Detection of a Network Scan] [Priority: 3]
...........
-- Joerg Weber Network Security infoServe GmbH Nell-Breuning-Allee 6 D-66115 Saarbruecken T: (0681) 8 80 08 - 0 F: (0681) 8 80 08 - 59 www.infos.de E: j.weber () infos de ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listzort-users ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- RE: SCAN UPnP service discover attempt Thomas T. Evans, III (Jun 04)
- Re: SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- Re: SCAN UPnP service discover attempt Joerg Weber (Jun 04)
- <Possible follow-ups>
- RE: SCAN UPnP service discover attempt Bruyere, Michel (Jun 04)
- Re: SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- Re: SCAN UPnP service discover attempt Mark Williamson (Jun 04)
- RE: SCAN UPnP service discover attempt Schmehl, Paul L (Jun 04)
- RE: SCAN UPnP service discover attempt bmcdowell (Jun 04)
- RE: SCAN UPnP service discover attempt Garrett . Allen (Jun 04)
- RE: SCAN UPnP service discover attempt Thomas T. Evans, III (Jun 04)