virus logo Intrusion Prevention

UPnP.SSDP.M.Search.Anomaly

description-logoDescription

This indicates detection of an attempt scan using UPnP SSDP M-Search packets.
Simple Service Discovery Protocol (SSDP) is a network protocol for advertisement and discovery of network services information. SSDP is the basis of the discovery protocol, Universal Plug and Play (UPnP). SSDP uses HTTP over UDP to announce the establishment or withdrawal of services information to the multicast group. A client, that wishes to discover available services on a network, uses the method M-SEARCH.
Normal M-Search packets should go to multicast address 239.255.255.250, but the attempted scan targeted an IP that's not the multicast address, indicating that it's likely to be malicious. It could be from a scanner or from DDoS.

affected-products-logoAffected Products

All network devices that support UPnP

Impact logoImpact

Information Disclosure: Remote attackers can gain sensitive information from vulnerable systems.

recomended-action-logoRecommended Actions

Monitor the traffic from the network for any suspicious activity.

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)

Version Updates

Date Version Detail
2019-05-07 14.608 Status:enable:disable
2018-12-21 13.513

References

https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol https://www.rapid7.com/db/modules/auxiliary/scanner/upnp/ssdp_msearch
ID 47173
Created Dec 21, 2018
Updated Dec 21, 2018
Risk black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon
CVE ID
Default Action pass
Active
Affected OS All
Affected App Other