RE: Unknown port traffic....

[Clifford Durbin <CDurbin () toddpacific com>]

Group,
After a few weeks of on again off again looking at the problem noted below,
I have found the solution. This only effects the w2k server and xp users out
there. Even though the universal plug and play is disabled in xp and
supposedly not even installed on w2k the data packets are still broadcast.
You need to make a change in your registry to totally disable the "feature".
Microsoft Knowledge Base #Q317843... Excerpt:

Start Registry Editor (Regedt32.exe).
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
On the Edit menu, click Add Value, and then add the following registry
value:
Value name: UPnPMode
Data type: REG_DWORD
Value data: 2 
Quit Registry Editor and reboot



-----Original Message-----
From: Clifford Durbin 
Sent: Thursday, September 26, 2002 2:03 PM
To: 'Brian F. Vaughan'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Unknown port traffic....


Brian,

Thanks for the information. I stopped the IPSec service but still get the
same information. Not sure what service would be controlling h.323 though I
am looking. 

-cfd

-----Original Message-----
From: Brian F. Vaughan [mailto:bvaughan () wgen net]
Sent: Thursday, September 26, 2002 12:19 PM
To: Clifford Durbin; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Unknown port traffic....


Clifford,

Port 1120 is used by Win2k for IPSec, this is the most likely cause for the
port activity you are seeing.

Brian Vaughan
IT Administrator
Wireless Generation, Inc.


-----Original Message-----
From: Clifford Durbin [mailto:CDurbin () toddpacific com]
Sent: Thursday, September 26, 2002 2:35 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Unknown port traffic....


Can anybody give me some insight what the heck is using port 1120 and 1900?
> From what I've read 1900 is UPnP on XP and ME but my machine
(xxx.xxx.xxx.165) is a 2K server and the recipient address (xxx.xxx.xxx.161)
is a Cisco router. Looking through the Internet Asignment Authority port
assignments page (http://www.iana.org/assignments/port-numbers) it lists
port 1900 as SSDP (Simple Service Discovery Protocol) and 1120 isn't even
listed. I get these approximately every 30 seconds.

[**] ICMP Destination Unreachable (Port Unreachable) [**]
09/26-10:11:28.577837 xxx.xxx.xxx.161 -> xxx.xxx.xxx.165 ICMP TTL:255
TOS:0xC0 ID:60478 IpLen:20 DgmLen:56 Type:3  Code:3  DESTINATION
UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
xxx.xxx.xxx.165:1120 -> xxx.xxx.xxx.161:1900
UDP TTL:127 TOS:0x0 ID:23456 IpLen:20 DgmLen:160
Len: 140
** END OF DUMP
00 00 00 00 45 00 00 A0 5B A0 00 00 7F 11 EF 32  ....E...[......2 CF 99 A8
A5 CF 99 A8 A1 04 60 07 6C 00 8C 9D E2  .........`.l....

Clifford Durbin
Sr. Systems Administrator
Todd Pacific Shipyards
Phone : 206-623-1635 x234
Fax : 206-442-8506
Email : cdurbin () toddpacific com <mailto:cdurbin () toddpacific com>




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users