[Snort-sigs] sid 2586 False positive documentation

Burtoft, Jim jburtoft at ...2813...
Mon Feb 21 07:05:16 EST 2005

Message:  P2P eDonkey transfer
False positives:  This rule triggers when there is any traffic that has a source port of 4242 and the first hex byte is E3.  In our shop, this seems to happen regularly (once or twice a week) in SSL communication sessions (destination port 443) that just happen to have been dynamically assigned a source port of 4242.
I am not sure is this is characteristic of our network, or just the fact that any encrypted communication has an approximately 1/256 chance of beginning with the byte E3 (assuming encrypted traffic emulates a random distribution).  Of course, it only triggers the alert when the source port happens to be 4242 (perhaps soon after the client reboots?).

This message and any included attachments are confidential, and are intended for the use of the addressee(s).  Unauthorized review, forwarding, printing, copying, distributing, or other such uses is strictly prohibited and may be unlawful.  If you received this message in error, or believe you are not authorized to receive it, please promptly delete this message and notify the sender of the error.

More information about the Snort-sigs mailing list