[Emerging-Sigs] Ares TCP signature.
Matt Jonkman
jonkman at jonkmans.com
Tue Feb 26 17:15:13 EST 2008
That sig is quite reliable. If you're seeing it then it's likely there
is Ares P2P stuff going on.
If you can share a packet or two we can confirm. But there isn't
anything I'm aware of that'd cause this to false in any numbers.
Matt
Husnu Demir wrote:
> alert TCP any 1024: -> any 1024: (msg:"ET P2P Ares TCP - hdemir";
> content:"@Ares|00|"; flags:PA,12; classtype:policy-violation;
> sid:3000014; rev:1;)
>
>
>
>
> Finds lots of ARES. Can somebody check also?
>
>
> hdemir.
>
>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list