[Emerging-Sigs] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port

[Matt Jonkman]

I agree there. If it's really P2P it'll be lots of high ports, and lots
of destinations. And if it's edonkey those rules are pretty reliable, so
you'll see many specific hits there.

The TLS sigs are also reliable, and it's got to get through 3 or 4
flowbit sets to fire this sig. Try capturing the stream and you should
be able to see the ssl certificate in there somewhere. Open it with
wireshark or something that can show you the cert, that'll give you some
clues as to who/what the communication is.

If you need to block it, I'd recommend snortsam. Flex is good, but it'll
create a lot of noise, and not actually stop P2P if it were actually
edonkey, just slow it up and annoy everyone. :)

Matt

Jack Pepper wrote:
> Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
> 
>> Is there somebody that have found a way to see if traffic that trigger that
>> alert is edonkey or not ? I have a lot of alerts, and it is boring me to just
>> let all this p2p traffic pass¸and do nothing.
> 
> In cases where I have confirmed the P2P usage, the defining feature  
> was that one inside address was hitting those rules on dozens of  
> outside addrs.
> 
> one inside addr -->  one outside addr  [ not p2p, but something else ]
> 
> one inside addr -->  lots of outside addrs [ p2p or malware infection ]
> 
> jp--
> Framework?  I don't need no stinking framework!
> 
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate  
> http://www.afferentsecurity.com
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc