Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] SCAN UPnP service discover attempt

1,387 views
Skip to first unread message

Mark Williamson

unread,
Jun 4, 2003, 11:14:40 AM6/4/03
to
Greetings,

There are two hosts on this network that every 5 seconds or so cause
snort to alert

[**] [1:1917:4] SCAN UPnP service discover attempt [**]
[Classification: Detection of a Network Scan] [Priority: 3]
...........


each alert is repeated 3 times from each host to the same destination
(the gateway router on this network)

Both of the hosts are running Windows XP and Snort is running on
Slackware 9.0.0

I see on the snort.org site what this is SID:1917 - but the part that
troubles me is the False Positive and False Negative sections -

False Positives: A scanner may be used in a security audit.
False Negatives: None Known.

If this is the case why am i seeing these hosts "ticking" like this?
Any help on this matter would be much appreciated, I've rtfm and googled
and checked the mail archive yet i find no answers to my quandry.

Thanks again,

Mark

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Mark Williamson

unread,
Jun 4, 2003, 11:32:30 AM6/4/03
to
Thank you so much Michel, disabling ssdp will have no adverse affects
then, brilliant, thank you for your speedy response too :)
- Sorry about the double post i didn't realize i was sending from the
wrong address the first time around.

Mark

Bruyere, Michel wrote:

>Just disable the ssdp service on the Windows XP and it will stop the
>discovery process. UPNP is the new Universal plug and play feature (thanks
>again M$) that try to discover new hardware on the LAN. For more information
>on this subject you can get an eye on http://grc.com/unpnp/unpnp.htm
>
>My 0.02$
>
>
>
>M. Bruyere

Bruyere, Michel

unread,
Jun 4, 2003, 11:32:58 AM6/4/03
to

Hi There,

<snip>

> Greetings,
>
> There are two hosts on this network that every 5 seconds or so cause
> snort to alert
>
> [**] [1:1917:4] SCAN UPnP service discover attempt [**]
> [Classification: Detection of a Network Scan] [Priority: 3]
> ...........
>
>
> each alert is repeated 3 times from each host to the same destination
> (the gateway router on this network)
>
> Both of the hosts are running Windows XP and Snort is running on
> Slackware 9.0.0

<snip>

Mark Williamson

unread,
Jun 4, 2003, 12:03:50 PM6/4/03
to
Michel - It is definately stopped - not disabled, still it ticks :(

Ahh, Thank you Thomas - This sounds like it might be the issue then,
thanks,
So i just grep away these entries for this host from my alert log i
suppose.

- Still, this seems strange to me - I believe all of the XP
installations here to be of the same version with the same patches
applied which makes it strange that 2 of them insist on sending UPnP
while the rest are happy
without.

Time for some more investigation into versions i suppose although why
they can't just use linux and have done with these stealthy services
trying to be helpful for them i still don't know .


Thanks all, you have been most helpful,


Best Regards
Mark


Thomas T. Evans, III wrote:

>Mark:
>
>XP is a big fan of UPnP scanning and I have one machine that refuses to
>stop. There is a Q article somewhere on steps you can take to disable it,
>but in our case, the machine refused to cooperate.
>
>Thomas T. Evans, III CCNA
>Senior Network Manager
>Hawk Corporation
>tte...@hawkcorp.net
>216-267-7787 Ext. 500
>Cell: 440-669-2526
>Fax: 917-464-7241
>President, MFG/Pro Midwest User Group

Thomas T. Evans, III

unread,
Jun 4, 2003, 12:07:54 PM6/4/03
to
Mark:

XP is a big fan of UPnP scanning and I have one machine that refuses to
stop. There is a Q article somewhere on steps you can take to disable it,
but in our case, the machine refused to cooperate.

Thomas T. Evans, III CCNA
Senior Network Manager
Hawk Corporation
tte...@hawkcorp.net
216-267-7787 Ext. 500
Cell: 440-669-2526
Fax: 917-464-7241
President, MFG/Pro Midwest User Group

-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net]On Behalf Of Mark Williamson
Sent: Wednesday, June 04, 2003 11:18 AM
To: snort
Subject: [Snort-users] SCAN UPnP service discover attempt

Greetings,

There are two hosts on this network that every 5 seconds or so cause
snort to alert

[**] [1:1917:4] SCAN UPnP service discover attempt [**]
[Classification: Detection of a Network Scan] [Priority: 3]
...........


each alert is repeated 3 times from each host to the same destination
(the gateway router on this network)

Both of the hosts are running Windows XP and Snort is running on
Slackware 9.0.0

I see on the snort.org site what this is SID:1917 - but the part that


troubles me is the False Positive and False Negative sections -

False Positives: A scanner may be used in a security audit.
False Negatives: None Known.

If this is the case why am i seeing these hosts "ticking" like this?
Any help on this matter would be much appreciated, I've rtfm and googled
and checked the mail archive yet i find no answers to my quandry.

Thanks again,

Mark

-------------------------------------------------------

Mark Williamson

unread,
Jun 4, 2003, 12:15:39 PM6/4/03
to
Hi, I have disabled SSDP in controlpanel->services->SSDP Detection Service
on one of the machines (192.168.2.10) - But i am still seeing the same ticking effect
same as on the host that doesn't have this service disabled.

Again I am lost with no clue,

Any ideas?

Thanks again

Mark


[**] [1:1917:4] SCAN UPnP service discover attempt [**]
[Classification: Detection of a Network Scan] [Priority: 3]

06/04-16:15:11.097117 0:4:23:20:A8:C4 -> 0:50:BA:98:DD:7 type:0x800 len:0xAE
192.168.2.10:1047 -> 192.168.2.200:1900 UDP TTL:128 TOS:0x0 ID:928 IpLen:20 DgmLen:160
Len: 132

[**] [1:1917:4] SCAN UPnP service discover attempt [**]
[Classification: Detection of a Network Scan] [Priority: 3]

06/04-16:15:11.097261 0:4:23:20:A8:C4 -> 0:50:BA:98:DD:7 type:0x800 len:0xAF
192.168.2.10:1047 -> 192.168.2.200:1900 UDP TTL:128 TOS:0x0 ID:929 IpLen:20 DgmLen:161
Len: 133

[**] [1:1917:4] SCAN UPnP service discover attempt [**]
[Classification: Detection of a Network Scan] [Priority: 3]

06/04-16:15:11.599529 0:4:23:20:A8:C4 -> 0:50:BA:98:DD:7 type:0x800 len:0xAE
192.168.2.10:1047 -> 192.168.2.200:1900 UDP TTL:128 TOS:0x0 ID:950 IpLen:20 DgmLen:160
Len: 132

<snip>

>
>Just disable the ssdp service on the Windows XP and it will stop the
>discovery process. UPNP is the new Universal plug and play feature (thanks
>again M$) that try to discover new hardware on the LAN. For more information
>on this subject you can get an eye on http://grc.com/unpnp/unpnp.htm
>
>

</snip>

>My 0.02$
>
>
>
>M. Bruyere

Schmehl, Paul L

unread,
Jun 4, 2003, 12:26:14 PM6/4/03
to
Unless you really use it, I would disable the UPnP service entirely (as
well as the SSDP service.) I wrote an article for Securityfocus [0]
about the buffer overflow that eEye found in SSDP (announced right after
the launch of XP), and the potential for exploitation of this service is
scary. Microsoft appears to have given very little thought to the
potential for hacking this service.

The UPnP service is not started by default, however the SSDP service is.
I would disable both and have on every machine I use.

[0] http://www.securityfocus.com/infocus/1548

Paul Schmehl (pa...@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/=20

-----Original Message-----
From: Joerg Weber [mailto:j.w...@infos.de]=20
Sent: Wednesday, June 04, 2003 9:34 AM
To: SnortUsers
Subject: Re: [Snort-users] SCAN UPnP service discover attempt


Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
http://www.microsoft.com/technet/treeview/default.asp?url=3D/technet/secu=
r
ity/bulletin/MS01-059.asp
for some info about the UPnP service and bugs within it.

Joerg Weber

unread,
Jun 4, 2003, 12:28:45 PM6/4/03
to

--=-CyqI8WqATB6TvshFrEb1
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
http://www.microsoft.com/technet/treeview/default.asp?url=3D/technet/securi=


ty/bulletin/MS01-059.asp
for some info about the UPnP service and bugs within it.

Hope I could help,

Joerg

> Greetings,
>=20
> There are two hosts on this network that every 5 seconds or so cause=20
> snort to alert
>=20


> [**] [1:1917:4] SCAN UPnP service discover attempt [**]
> [Classification: Detection of a Network Scan] [Priority: 3]

> ...........

--=20
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.w...@infos.de

--=-CyqI8WqATB6TvshFrEb1
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQA+3hF83kY3RPgI7pURAoUFAJ9+i+DP8Aainx722gLFZmvc4L6zAQCfTnv8
W8lyDOa1kPvFCHA+PmZ2mrQ=
=L1M9
-----END PGP SIGNATURE-----

--=-CyqI8WqATB6TvshFrEb1--

bmcd...@coxhealthplans.com

unread,
Jun 4, 2003, 1:00:06 PM6/4/03
to

Watch for MSN Messenger users trying to use anything other than IM (as =
in voice, file transfer, etc.) They have an article on why all of this =
uses UPnP somewhere in their knowledgebase.

Personally, I'd just like to make UPnP work via conntrack in my =
iptables, but that's another story.

-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net]On Behalf Of Joerg Weber
Sent: Wednesday, June 04, 2003 10:34 AM
To: SnortUsers

Subject: Re: [Snort-users] SCAN UPnP service discover attempt


Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
http://www.microsoft.com/technet/treeview/default.asp?url=3D/technet/secu=
rity/bulletin/MS01-059.asp


for some info about the UPnP service and bugs within it.

Hope I could help,

Joerg

> Greetings,
>=20
> There are two hosts on this network that every 5 seconds or so =


cause=20
> snort to alert
>=20
> [**] [1:1917:4] SCAN UPnP service discover attempt [**]
> [Classification: Detection of a Network Scan] [Priority: 3]
> ...........

--=20
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.w...@infos.de

Garret...@ser.com

unread,
Jun 4, 2003, 4:42:35 PM6/4/03
to
i'm dealing with the same issue here. we have shut the services off, but
still get 2 packets every 25 secs. here is an article from ms site.
haven't tried the dink yet but .... hih

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b317843

thanks.
-----Original Message-----
From: bmcd...@coxhealthplans.com [mailto:bmcd...@coxhealthplans.com]
Sent: Wednesday, June 04, 2003 12:01 PM
To: snort...@lists.sourceforge.net
Subject: RE: [Snort-users] SCAN UPnP service discover attempt

Watch for MSN Messenger users trying to use anything other than IM (as in
voice, file transfer, etc.) They have an article on why all of this uses


UPnP somewhere in their knowledgebase.

Personally, I'd just like to make UPnP work via conntrack in my iptables,


but that's another story.

-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net]On Behalf Of Joerg Weber
Sent: Wednesday, June 04, 2003 10:34 AM
To: SnortUsers
Subject: Re: [Snort-users] SCAN UPnP service discover attempt


Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/


bulletin/MS01-059.asp
for some info about the UPnP service and bugs within it.

Hope I could help,

Joerg

> Greetings,
>
> There are two hosts on this network that every 5 seconds or so cause
> snort to alert


>
> [**] [1:1917:4] SCAN UPnP service discover attempt [**]
> [Classification: Detection of a Network Scan] [Priority: 3]
> ...........

--
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.w...@infos.de


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?listzort-users

0 new messages