[Snort-sigs] false +ves for BLEEDING-EDGE P2P CHAT Skype VoIP Initialization

Russell Fulton r.fulton at ...575...
Tue Apr 19 14:56:18 EDT 2005


 Hi Folks,
	  I am seeing a lot of hits against this rule that appear to be
legitimate SSL session.  Ironically I don't see any real hits in spite
of there being considerable amounts of skype on the network.

Russell

META
--------
SID     CID     TimeStamp               Signature
4       4241123 2005-04-19 16:54:10     BLEEDING-EDGE P2P CHAT Skype VoIP Initialization
Sig ID
2001333

Sensor Hostname                         Sensor Interface
jamjar  em0

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.42.235  216.113.188.35  4       5
TOS     length  ID      flags   offset  TTL     chksum
0       112     63760   2       0       124     49950

Resolved Source
Could Not Resolve
Resolved Dest
www.paypal.com 

TCP
--------
Source Port     Dest Port       Seq             Ack             
2078            443             4136229540      3248128544
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      64860   26581           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
8046010301002D000000    .F....-...
1000000500000400000A    ..........
00000900006400006200    .....d..b.
00080000030000060100    ..........
800700C0030080060040    .........@
02008004008042648D74    ......Bd.t
D911519B42C145D36AD6    ..Q.B.E.j.
41E8    A.

DATA
--------
.F....-..................d..b.................... at ...3046...
..Q.B.E.j.A.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050419/4c998c85/attachment.bin>


More information about the Snort-sigs mailing list