[Snort-sigs] false +ves for BLEEDING-EDGE P2P CHAT Skype VoIP Initialization

Matt Jonkman matt at ...2436...
Tue Apr 19 18:26:06 EDT 2005


Interesting, I believe I have seen real hits on this, and haven't 
personally had falses.

This session appears to be to paypal.

Strange, that sig is quite specific. Jason Haar wrote it, maybe he can 
comment:

alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE P2P CHAT Skype 
VoIP Initialization";flow:to_server,established; 
content:"|8046010301002d0000001000000500000400000a0000090000640000620000080000030000060100800700c0030080060040020080040080|"; 
depth:112; classtype:policy-violation; sid:2001333; rev:1;)

Anyone else with falses here?

Matt

Russell Fulton wrote:
>  Hi Folks,
> 	  I am seeing a lot of hits against this rule that appear to be
> legitimate SSL session.  Ironically I don't see any real hits in spite
> of there being considerable amounts of skype on the network.
> 
> Russell
> 
> META
> --------
> SID     CID     TimeStamp               Signature
> 4       4241123 2005-04-19 16:54:10     BLEEDING-EDGE P2P CHAT Skype VoIP Initialization
> Sig ID
> 2001333
> 
> Sensor Hostname                         Sensor Interface
> jamjar  em0
> 
> IP
> --------
> Source Address  Dest Address    Ver     Hdr Len
> 130.216.42.235  216.113.188.35  4       5
> TOS     length  ID      flags   offset  TTL     chksum
> 0       112     63760   2       0       124     49950
> 
> Resolved Source
> Could Not Resolve
> Resolved Dest
> www.paypal.com 
> 
> TCP
> --------
> Source Port     Dest Port       Seq             Ack             
> 2078            443             4136229540      3248128544
> Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
> 5       0               24      64860   26581           0
> 
> Options
> --------
> None
> 
> 
> Flags
> --------
> RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
>                         X       X                               
> 
> DATA
> --------
> 8046010301002D000000    .F....-...
> 1000000500000400000A    ..........
> 00000900006400006200    .....d..b.
> 00080000030000060100    ..........
> 800700C0030080060040    .........@
> 02008004008042648D74    ......Bd.t
> D911519B42C145D36AD6    ..Q.B.E.j.
> 41E8    A.
> 
> DATA
> --------
> .F....-..................d..b.................... at ...3046...
> ..Q.B.E.j.A.
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list