From: John Sage (jsageat_private)
Date: Thu Oct 11 2001 - 13:55:59 PDT

  • Next message: cg: " weirdness?"

    "Goland et al.                                                 [Page 3] 
    INTERNET-DRAFT                 SSDP/V1               October 28, 1999
        A mechanism is needed to allow HTTP clients and HTTP resources to
        discover each other in local area networks. That is, a HTTP client
        may need a particular service that may be provided by one or more
        HTTP resources. The client needs a mechanism to find out which HTTP
        resources provide the service the client desires.
        For the purposes of this specification the previously mentioned HTTP
        client will be referred to as a SSDP client. The previous mentioned
        HTTP resource will be referred to as a SSDP service.
        In the simplest case this discovery mechanism needs to work without
        any configuration, management or administration. For example, if a
        user sets up a home network or a small company sets up a local area
        network they must not be required to configure SSDP before SSDP can
        be used to help them discover SSDP services in the form of Printers,
        Scanners, Fax Machines, etc.
    2.2.1.    Message Flow on the SSDP Multicast Channel
        The following is an overview of the messages used to implement SSDP.
        SSDP clients discover SSDP services using the reserved local
        administrative scope multicast address over the SSDP
        For brevity's sake the SSDP reserved local administrative scope
        multicast address and port will be referred to as the SSDP multicast
        Discovery occurs when a SSDP client multicasts a HTTP UDP discovery
        request to the SSDP multicast channel/Port. SSDP services listen to
        the SSDP multicast channel/Port in order to hear such discovery
        requests. If a SSDP service hears a HTTP UDP discovery request that
        matches the service it offers then it will respond using a unicast
        HTTP UDP response.
        SSDP services may send HTTP UDP notification announcements to the
        SSDP multicast channel/port to announce their presence.
        Hence two types of SSDP requests will be sent across the SSDP
        multicast channel/port. The first are discovery requests, a SSDP
        client looking for SSDP services. The second are presence
        announcements, a SSDP service announcing its presence..."
    - John
    John Sage
    FinchHaven, Vashon Island, WA, USA
    "The web is so, like, five minutes ago..."
    > All,
    > 	Is the following the footprint of a trojan or virus?  Does anyone have any pointers to SSDP?
    > 	Thanks everyone.
    > John
    > 10/10-08:24:10.486051 ->
    > UDP TTL:1 TOS:0x0 ID:26196 IpLen:20 DgmLen:118
    > Len: 98
    > 4D 2D 53 45 41 52 43 48 20 2A 20 48 54 54 50 2F  M-SEARCH * HTTP/
    > 31 2E 31 0D 0A 48 6F 73 74 3A 32 33 39 2E 32 35  1.1..Host:239.25
    > 35 2E 32 35 35 2E 32 35 30 0D 0A 53 54 3A 75 70  5.255.250..ST:up
    > 6E 70 3A 72 6F 6F 74 64 65 76 69 63 65 0D 0A 4D  np:rootdevice..M
    > 61 6E 3A 73 73 64 70 3A 64 69 73 63 6F 76 65 72  an:ssdp:discover
    > 0D 0A 4D 58 3A 33 0D 0A 0D 0A                    ..MX:3....
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 13:58:06 PDT