ET SCAN External to Internal UPnP Request tcp port 2555
This alert is triggered when an external host sends a UPnP request to an internal host on TCP port 2555. UPnP (Universal Plug and Play) is a set of networking protocols that allows devices to seamlessly discover each other's presence on the network and establish functional services for data sharing and communications. This alert may be triggered when an external adversary or scanner is probing internal devices' UPnP services. Receiving an external UPnP request on port 2555 is suspicious.
ID Number
4000497
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:4000497; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended, if possible, to block all UPnP communication on port 2555 from external networks, as UPnP is designed for local network discovery. if UPnP from external networks is necessary, enable access from specific external devices only.