[Snort-sigs] FP with telnet preprocessor....

Joel Esler joel.esler at ...435...
Mon Aug 20 21:46:02 EDT 2007


This particular example is showing Yahoo Instant Messenger finding  
it's way out of the network on a non-standard port.

If it can't get out on port 5050, it will find it's way out using 23  
or 80.  I know that doesn't solve the end issue, but I thought i'd  
let you know that (in case you didn't know), if it was a local policy  
violation.

:)

Joel

On Aug 20, 2007, at 9:39 PM, Russell Fulton wrote:

> Not exactly a signature issue but this seems to be the best place  
> to post.
>
> I've just installed 2.7 and turned on the ftp/telnet preprocessor  
> -- I see that the both ftp and telnet are generating these alerts.   
> I assume that it decides stuff is encrypted if it strikes anything  
> that is not in its protocol model. In the case of the ftp some of  
> the packets were seriously broken but theses telent alterts, like  
> the one below, are from a range of systems and all have the same  
> form suggesting that there is something lacking in the model.
>
> Russell
>
> META	
> SID	CID	TimeStamp	Signature	Sig ID
> 6	8815382	2007-08-20 16:18:15	telnet_pp: Telnet data encrypted	2
> Sensor Hostname	Sensor Interface
> monitor-dmzo.isec.auckland.ac.nz	dmz sensor
> IP	
> Source Address	Dest Address	Ver	Hdr Len	TOS	length	ID	flags	offset	 
> TTL	chksum
> 130.216.x.yy	216.155.193.135	4	5	0	89	58040	2	0	126	63296
> Resolved Source	Resolved Dest
> abbb.ccc.auckland.ac.nz	 cs8.msg.dcn.yahoo.com
> TCP	
> Source Port	Dest Port	Seq	Ack	Offset	Reserved	Flags	Window	Checksum	 
> Urgent Ptr
> 1262	23	2057010961	1040909924	5	0	24	64816	12746	0
> Options
> None
> Flags
>
> RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
>
>
>
> X	X	
>
>
> DATA	
> 594D5347000F0000001D
>
> 00C600000000764AB787
>
> 3130C080393939C08031
>
> 39C080C0803937C08031
>
> C0803437C08032C080
>
>
>
> YMSG......
>
> ......vJ..
>
> 10..999..1
>
> 9....97..1
>
> ..47..2..
>
>
>
> DATA	
> YMSG............vJ..10..999..19....97..1..47..2..
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a  
> browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/ 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



--
joel esler
http://demo.sourcefire.com/jesler.pgp.key



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070820/0787da83/attachment.html>


More information about the Snort-sigs mailing list