Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt

Rule Explanation

This event is generated when an external Simple Service Discovery Protocol (SSDP) M-Search with an ST field of "ssdp:all" is on the internal network environment. This detection notifies of a known option uses in distributed denial-of-service attacks and warns that this behavior from outside of the network is risky. Impact: Attempted Denial of Service Details: SSDP has two generic Search Target (ST) types used in conjuction with the M-SEARCH query, upnp:rootdevice, and ssdp:all. The latter option searches for all devices running UPnP and elicits large responses for these. Ease of Attack: Simple. Techniques are available to execute this type of attack.

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:


Additional Links

Rule Vulnerability

CVE Additional Information

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
SeverityMEDIUM Base Score5.0
Impact Score2.9 Exploit Score10.0
Confidentiality ImpactNONE Integrity ImpactNONE
Availability ImpactPARTIAL Access Vector
AuthenticationNONE Ease of Access