|
Put three new signatures up regarding UPnP. No new exploit or vulnerability, but we're seeing malware samples that are going straight to the local router on TCP UPnP port 2555. This is unusual, normal UPnP starts with UDP port 1900 to do discovery. http://doc.emergingthreats.net/2008092 This sig will find Internal to Internal UPnP requests on port 2555. These are legal, but not normal. If you see this on a non-home network it's likely something you'll want to follow up on if you weren't doing it on purpose. http://doc.emergingthreats.net/2008093 This is similar to above, but for requests coming from outside to your perimeter or internal net. This is never a good thing to have happening, and with recent issues of routers coming out of the box with external administration enabled, you'll want to know about these. http://doc.emergingthreats.net/2008094 Similar here, from outside to your local net, but the TCP port 2555 version. This is not a normal discovery protocol, someone's trying to access your systems. Definitely needs attention! Please report any issues! Matt
|
