[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] ET POLICY TLS/SSL Encrypted Application Data	on Unusual Port
From:       markus.lude () gmx ! de (Markus Lude)
Date:       2008-02-06 16:07:37
Message-ID: 20080206160737.GA8735 () fuseki ! my ! domain
[Download RAW message or body]

On Wed, Feb 06, 2008 at 07:11:21AM -0600, Jack Pepper wrote:
> Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
> 
> > Is there somebody that have found a way to see if traffic that trigger that
> > alert is edonkey or not ? I have a lot of alerts, and it is boring me to just
> > let all this p2p traffic pass?and do nothing.
> 
> In cases where I have confirmed the P2P usage, the defining feature  
> was that one inside address was hitting those rules on dozens of  
> outside addrs.
> 
> one inside addr -->  one outside addr  [ not p2p, but something else ]
> 
> one inside addr -->  lots of outside addrs [ p2p or malware infection ]

If the outside port is (often) 9001, it maybe Tor traffic.

Regards,
Markus


[prev in list] [next in list] [prev in thread] [next in thread]