alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; sid:2008093; rev:2;)

Added 2008-04-03 15:40:10 UTC

for requests coming from outside to your perimeter or internal net. This is never a good thing to have happening, and with recent issues of routers coming out of the box with external administration enabled, you'll want to know about these.

-- MattJonkman - 03 Apr 2008

alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; sid:2008093; rev:2;)

Added 2008-04-03 15:40:10 UTC

alert tcp !$HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP? Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ui"; classtype:attempted-recon; reference:url,www.upnp-hacks.org/upnp.html; sid:2008093; rev:1;)

Added 2008-04-03 13:13:45 UTC