[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
From: markus.lude () gmx ! de (Markus Lude)
Date: 2008-02-06 16:07:37
Message-ID: 20080206160737.GA8735 () fuseki ! my ! domain
[Download RAW message or body]
On Wed, Feb 06, 2008 at 07:11:21AM -0600, Jack Pepper wrote:
> Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
>
> > Is there somebody that have found a way to see if traffic that trigger that
> > alert is edonkey or not ? I have a lot of alerts, and it is boring me to just
> > let all this p2p traffic pass?and do nothing.
>
> In cases where I have confirmed the P2P usage, the defining feature
> was that one inside address was hitting those rules on dozens of
> outside addrs.
>
> one inside addr --> one outside addr [ not p2p, but something else ]
>
> one inside addr --> lots of outside addrs [ p2p or malware infection ]
If the outside port is (often) 9001, it maybe Tor traffic.
Regards,
Markus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic