Snort mailing list archives
RE: UPnP service discover attempt
From: "David Beeson" <David.Beeson () stellent com>
Date: Thu, 5 Jun 2003 10:25:08 -0500
I had similar behavior from a host on one of my networks and found out that it was being caused by Windows Messenger. Check and see if these 2 machines are running Windows Messenger and if so shut it down and see if the problem goes away. David -----Original Message----- From: Mark Williamson [mailto:mark () nunswithguns co uk] Sent: Wednesday, June 04, 2003 10:12 AM To: snort Subject: [Snort-users] UPnP service discover attempt Greetings, There are two hosts on this network that every 5 seconds or so cause snort to alert [**] [1:1917:4] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] ........... each alert is repeated 3 times from each host to the same destination (the gateway router on this network) Both of the hosts are running Windows XP and Snort is running on Slackware 9.0.0 I see on the snort.org site what this is SID:1917 - but the part that troubles me is the False Positive and False Negative sections - False Positives: A scanner may be used in a security audit. False Negatives: None Known. If this is the case why am i seeing these hosts "ticking" like this? Any help on this matter would be much appreciated, I've rtfm and googled and checked the mail archive yet i find no answers to my quandry. Thanks again, Mark ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UPnP service discover attempt Mark Williamson (Jun 05)
- <Possible follow-ups>
- RE: UPnP service discover attempt bmcdowell (Jun 05)
- RE: UPnP service discover attempt David Beeson (Jun 05)
- RE: UPnP service discover attempt David Beeson (Jun 06)
- RE: UPnP service discover attempt David Beeson (Jun 06)