Snort mailing list archives
A bunch of FP's with Skype? (ET rules)
From: NA <dustypath () comcast net>
Date: Mon, 10 Oct 2011 13:51:35 -0700
Hi all, I was using Skype for 20 minutes and came up with all this via Base: [url <http://doc.emergingthreats.net/bin/view/Main/2003317>] [url <http://www.giac.org/certified_professionals/practicals/gcih/0446.php>] [local <http://192.168.77.37/base/signatures/2003317.txt>] [EmThreats <http://docs.emergingthreats.net/2003317>] ET P2P Edonkey Search Request (any type file) policy-violation 4 <http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=154&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%) sid 2003317 [url <http://doc.emergingthreats.net/bin/view/Main/2003320>] [url <http://www.giac.org/certified_professionals/practicals/gcih/0446.php>] [local <http://192.168.77.37/base/signatures/2003320.txt>] [EmThreats <http://docs.emergingthreats.net/2003320>] ET P2P Edonkey Search Results policy-violation 6 <http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=153&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%)<http://192.168.77.37/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=153&sig_type=1> sid 2003317 [url <http://doc.emergingthreats.net/bin/view/Main/2003310>] [url <http://www.giac.org/certified_professionals/practicals/gcih/0446.php>] [local <http://192.168.77.37/base/signatures/2003310.txt>] [EmThreats <http://docs.emergingthreats.net/2003310>] ET P2P Edonkey Publicize File policy-violation 2 <http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=150&sig_type=1&submit=Query+DB&num_result_rows=-1>(1%) sid 2003310 [url <http://doc.emergingthreats.net/bin/view/Main/2003313>] [url <http://www.giac.org/certified_professionals/practicals/gcih/0446.php>] [local <http://192.168.77.37/base/signatures/2003313.txt>] [EmThreats <http://docs.emergingthreats.net/2003313>] ET P2P Edonkey Connect Reply and Server List policy-violation 5 <http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=149&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%) sid 2003313 [url <http://doc.emergingthreats.net/2009971>] [url <http://emule-project.net>] [local <http://192.168.77.37/base/signatures/2009971.txt>] [EmThreats <http://docs.emergingthreats.net/2009971>] ET P2P eMule KAD Network Hello Request (2) policy-violation 5 <http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=151&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%) sid 2009971 [url <http://doc.emergingthreats.net/bin/view/Main/2003315>] [url <http://www.giac.org/certified_professionals/practicals/gcih/0446.php>] [local <http://192.168.77.37/base/signatures/2003315.txt>] [EmThreats <http://docs.emergingthreats.net/2003315>] ET P2P Edonkey Search Reply policy-violation 5 <http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=152&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%) sid 2003315 No files were passed. My reaction is to look at turning off some or most if not all ET policy-violation rules, or at least, an FP incident at a time. Any comments would be appreciated.... Thx Bill B ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- A bunch of FP's with Skype? (ET rules) NA (Oct 10)
- Re: A bunch of FP's with Skype? (ET rules) Jeff Kell (Oct 10)
- Re: A bunch of FP's with Skype? (ET rules) Matthew Jonkman (Oct 14)
- Re: A bunch of FP's with Skype? (ET rules) Jeff Kell (Oct 10)