ET SCAN Internal to Internal UPnP Request tcp port 2555
This alert is triggered when an internal host sends a UPnP request to another internal host on TCP port 2555. UPnP (Universal Plug and Play) is a set of networking protocols that allows devices to seamlessly discover each other's presence on the network and establish functional services for data sharing and communications. This alert may be triggered when an internal entity is scanning or probing other internal devices' UPnP services, which is unusual behavior for typical internal network traffic.
ID Number
4000496
Signature
alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:4000496; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to identify the source and destination devices involved in this traffic. Understanding their roles and functionalities in the network will help determine if this behavior is expected.
If the traffic is not from a recognized or legitimate source, or if there's no reason for UPnP requests on port 2555, consider blocking such traffic and investigating the source host for signs of compromise or malicious software.