[Snort-sigs] FPs with SID:2587 "P2P eDonkey transfer"
Jason.Haar at ...651...
Thu Jul 29 17:05:03 EDT 2004
We've had this rule triggering off whenever someone makes an outgoing SSL
connection where their src port happens to be 4242. It's also triggered on
binary FTP DATA traffic too.
I just think that rule's too small. Specific src port plus the first byte
being "|E3|" is just too likely to go off (statistically) on a largish
Anyone got some eDonkey traffic to come up with a better match?
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs