alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; sid:2008092; rev:1;)

Added 2008-04-03 13:13:45 UTC

This sig will find Internal to Internal UPnP? requests on port 2555. These are legal, but not normal. If you see this on a non-home network it's likely something you'll want to follow up on if you weren't doing it on purpose.

-- MattJonkman - 03 Apr 2008