[Snort-sigs] SSH brute force attack sig

Jason Haar Jason.Haar at ...651...
Thu Jul 7 12:35:17 EDT 2005


Jeff Kell wrote:

>And P2P searches drive sfportscan nuts, making it essentially useless here.
>  
>
You're not referring to Skype are you? Man, does that  thing RUIN many 
network security tests!

We *used to* trigger alerts on internal IPs portscanning either many 
Internet hosts or many Internet port numbers - it *used to* indicate 
either a staff member portscanning some Internet range - or was a sign 
of a trojan infection. Ever since Skype showed up (and we didn't 
formally ban it - as it is a damn fine application), we've had to drop 
such tests as Skype does just that. It makes many simultaneous 
connections to many Internet addresses on random port numbers - totally 
impossible to classify.

What makes it worse is that it doesn't learn from it's environment. We 
do egress filtering and the only way Skype can work on our network is 
via our proxies - but that doesn't stop it trying to get out directly - 
even after it's figured out to use our proxies :-( I have reported this 
issue to them - well - dropped a request into a blackhole appears to be 
what happened... Anyway, way off topic.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list