alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:17 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:5;)

Added 2011-10-12 19:24:25 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; sid:2008093; rev:5;)

Added 2011-09-14 22:37:54 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_UPnP; sid:2008093; rev:5;)

Added 2011-02-04 17:27:12 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_UPnP; sid:2008093; rev:5;)

Added 2010-07-26 14:31:00 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_UPnP; sid:2008093; rev:5;)

Added 2010-07-26 14:31:00 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_UPnP; sid:2008093; rev:4;)

Added 2009-02-12 18:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_UPnP; sid:2008093; rev:4;)

Added 2009-02-12 18:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; sid:2008093; rev:2;)

Added 2008-04-03 15:40:10 UTC

for requests coming from outside to your perimeter or internal net. This is never a good thing to have happening, and with recent issues of routers coming out of the box with external administration enabled, you'll want to know about these.

-- MattJonkman - 03 Apr 2008


alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; sid:2008093; rev:2;)

Added 2008-04-03 15:40:10 UTC


alert tcp !$HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; sid:2008093; rev:1;)

Added 2008-04-03 13:13:45 UTC


Topic revision: r2 - 2008-04-03 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats