OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Bianco (biancojlab.org)
Date: Wed Apr 03 2002 - 06:44:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Rich Adamson writes:
    >
    > We're seeing a few internal workstations (behind a firewall) originating
    > packets with the contents like:
    >
    > "SEARCH * HTTP/1.1 HOST 239.255.255.255:1900<crlf>MAN "ssdp:discovery"<lf>
    > MX: 3<crlf>ST: urn:schemas-upnp-org:service:WANIPConnection:1<crlf>
    >
    > The packets were observed being sent to the workstation's default gateway
    > (happens to be a Bay BLN router) with a destination port of udp-1900, as
    > observed with an NAI Sniffer. The router is not configured to support
    > multicasting.
    >
    > Anyone seen these or have any idea what might be generating the query/scan?
    >

    It's some host (probably a Windows 2000 or maybe XP machine) using
    Universal Plug-n-Play. You can find more info at
    http://www.upnp.org/. There were some major security flaws associated
    with the use of UPNP, but I don't know just from this one example if
    this is an exploit or a legit request, but I suspect it's legit if it's
    only going between a host and its router.

         David 

    -- 
David J. Bianco, GSEC		<biancojlab.org>
Thomas Jefferson National Accelerator Facility

         The views expressed herein are soley those of the author and
	    not those of SURA/Jefferson Lab or the US DOE.

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users