RE: SCAN UPnP service discover attempt

["Philip Davidson" <Philip () dpc-paris com>]

Here is a tool that "closes" UPnP.
http://grc.com/unpnp/unpnp.htm

I don't know what you all think of Steve Gibson, but I thought this tool
did a great job.  It also turned down the noise on our snort boxes that
UPnP was making.  

Philip Davidson, A+ N+ MCP
Network/Security Engineer
DPC, Inc
1015 Maurice Fields Dr
Paris, TN 38242
731.642.8627 x103

-----Original Message-----
From: Schmehl, Paul L [mailto:pauls () utdallas edu] 
Sent: Wednesday, October 15, 2003 4:19 PM
To: Martin Jr., D. Michael; snort-users () lists sourceforge net
Subject: RE: [Snort-users] SCAN UPnP service discover attempt

> -----Original Message-----
> From: Martin Jr., D. Michael [mailto:martinm () montevallo edu] 
> Sent: Wednesday, October 15, 2003 3:37 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] SCAN UPnP service discover attempt
>
> Is the "SCAN UPnP service discover attempt" something I 
> should worry about? If so, how so? If not, why not and how 
> can I remove it from my log alerts (I can't find what rule in 
> Snort may be creating this alert).
I would disable it.  In a University environment you are going to have
thousands of Windows machines with the Simple Service Discovery Protocol
service enabled, because it's the default install.  Unless you want to
figure out how to turn all those off (and good luck on getting 100%
cooperation from your residence halls), you're better off ignoring the
traffic.  I'm assuming, of course, that you have a default deny strategy
at your edge.  If not, definitely block port 5000/UDP along with the
NetBIOS, CIFS, SMB, RPC and NFS ports at your edge.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users