[Snort-sigs] SSH brute force attack sig
Jason.Haar at ...651...
Thu Jul 7 12:35:17 EDT 2005
Jeff Kell wrote:
>And P2P searches drive sfportscan nuts, making it essentially useless here.
You're not referring to Skype are you? Man, does that thing RUIN many
network security tests!
We *used to* trigger alerts on internal IPs portscanning either many
Internet hosts or many Internet port numbers - it *used to* indicate
either a staff member portscanning some Internet range - or was a sign
of a trojan infection. Ever since Skype showed up (and we didn't
formally ban it - as it is a damn fine application), we've had to drop
such tests as Skype does just that. It makes many simultaneous
connections to many Internet addresses on random port numbers - totally
impossible to classify.
What makes it worse is that it doesn't learn from it's environment. We
do egress filtering and the only way Skype can work on our network is
via our proxies - but that doesn't stop it trying to get out directly -
even after it's figured out to use our proxies :-( I have reported this
issue to them - well - dropped a request into a blackhole appears to be
what happened... Anyway, way off topic.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs