[Emerging-Sigs] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
Jack Pepper
pepperjack at afferentsecurity.com
Wed Feb 6 08:11:21 EST 2008
Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
> Is there somebody that have found a way to see if traffic that trigger that
> alert is edonkey or not ? I have a lot of alerts, and it is boring me to just
> let all this p2p traffic pass¸and do nothing.
In cases where I have confirmed the P2P usage, the defining feature
was that one inside address was hitting those rules on dozens of
outside addrs.
one inside addr --> one outside addr [ not p2p, but something else ]
one inside addr --> lots of outside addrs [ p2p or malware infection ]
jp--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list