[Snort-sigs] FPs with SID:2587 "P2P eDonkey transfer"

Jason Haar Jason.Haar at ...651...
Thu Jul 29 17:05:03 EDT 2004

We've had this rule triggering off whenever someone makes an outgoing SSL
connection where their src port happens to be 4242. It's also triggered on
binary FTP DATA traffic too.

I just think that rule's too small. Specific src port plus the first byte
being "|E3|" is just too likely to go off (statistically) on a largish

Anyone got some eDonkey traffic to come up with a better match?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list