[Emerging-Sigs] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
Markus Lude
markus.lude at gmx.de
Wed Feb 6 11:07:37 EST 2008
On Wed, Feb 06, 2008 at 07:11:21AM -0600, Jack Pepper wrote:
> Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
>
> > Is there somebody that have found a way to see if traffic that trigger that
> > alert is edonkey or not ? I have a lot of alerts, and it is boring me to just
> > let all this p2p traffic pass?and do nothing.
>
> In cases where I have confirmed the P2P usage, the defining feature
> was that one inside address was hitting those rules on dozens of
> outside addrs.
>
> one inside addr --> one outside addr [ not p2p, but something else ]
>
> one inside addr --> lots of outside addrs [ p2p or malware infection ]
If the outside port is (often) 9001, it maybe Tor traffic.
Regards,
Markus
More information about the Emerging-sigs
mailing list