Find the answer to your Linux question:
Results 1 to 4 of 4
I am using Ubuntu 11.04 and have just started using Snort!. (I installed the latest version of Snort! a couple of months ago.) When I run the following Snort! command ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 01-22-2013 #1
    OtagoHarbour
    OtagoHarbour is offline
    Just Joined!
    Join Date
    Jan 2013
    Posts
    3

    Snort UpnP Alert on Ubuntu

    I am using Ubuntu 11.04 and have just started using Snort!. (I installed the latest version of Snort! a couple of months ago.) When I run the following Snort! command

    Code:
    sudo snort -d -c /etc/snort/snort.conf -h 192.168.1.0/24 -l /etc/snort
    I get the following output.

    Code:
    [**] [1:1384:8] MISC UPnP malformed advertisement [**]
[Classification: Misc Attack] [Priority: 2] 
01/21-20:18:02.413927 192.168.1.1:1900 -> 239.255.255.250:1900
UDP TTL:4 TOS:0x0 ID:0 IpLen:20 DgmLen:360 DF
Len: 332
    (This is posted by references to web links which I cannot post since I am a new member.)

    I followed the references and it appears that this is mainly a Windows problem and I am using Linux. However I do not think that I need UPnP and it appears to be a security risk. So I would like to disable it but have not found a good explanation about how to disable it, at least on Linux. I would be most grateful if someone could tell me how to do so.

    Thanks,
    Peter.
    Reply With Quote Reply With Quote
  2. 01-22-2013 #2
    lenfried_ga_suki
    lenfried_ga_suki is offline
    Just Joined!
    Join Date
    Jan 2013
    Posts
    8
    You could just block it with iptables. UPnP runs on UDP port 1900 and TCP port 2869 according to Wikipedia.

    Code:
    sudo iptables -A INPUT -p tcp --sport 2869 -j DROP
    Code:
    sudo iptables -A INPUT -p udp --sport 1900 -j DROP
    Then make sure you save those rules.
    Reply With Quote Reply With Quote
  3. 01-23-2013 #3
    OtagoHarbour
    OtagoHarbour is offline
    Just Joined!
    Join Date
    Jan 2013
    Posts
    3
    Quote Originally Posted by lenfried_ga_suki View Post
    You could just block it with iptables. UPnP runs on UDP port 1900 and TCP port 2869 according to Wikipedia.

    Code:
    sudo iptables -A INPUT -p tcp --sport 2869 -j DROP
    Code:
    sudo iptables -A INPUT -p udp --sport 1900 -j DROP
    Then make sure you save those rules.
    Thank you for your reply. Is that likely to block UDP or TCP packets other than those associated with UPnP?

    Thanks very much,
    Peter.
    Reply With Quote Reply With Quote
  4. 01-23-2013 #4
    lenfried_ga_suki
    lenfried_ga_suki is offline
    Just Joined!
    Join Date
    Jan 2013
    Posts
    8
    No, I don't think so. Especially since you're not using Windows. I looked up those ports, and it appears that the only services that run on them are Microsoft services.

    SSDP, which is specifically for UPnP, runs on UDP 1900, and ICSLAP, which is for Windows network sharing, runs on TCP 2869.

    ports.my-addr.com/tcp_port-udp_port-application-and-description.php?port=2869
    ports.my-addr.com/tcp_port-udp_port-application-and-description.php?port=1900
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules