<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">This particular example is showing Yahoo Instant Messenger finding it's way out of the network on a non-standard port.<DIV><BR class="khtml-block-placeholder"></DIV><DIV>If it can't get out on port 5050, it will find it's way out using 23 or 80.  I know that doesn't solve the end issue, but I thought i'd let you know that (in case you didn't know), if it was a local policy violation.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>:)</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Joel</DIV><DIV><BR><DIV><DIV>On Aug 20, 2007, at 9:39 PM, Russell Fulton wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"> Not exactly a signature issue but this seems to be the best place to post.<BR> <BR> I've just installed 2.7 and turned on the ftp/telnet preprocessor -- I see that the both ftp and telnet are generating these alerts.  I assume that it decides stuff is encrypted if it strikes anything that is not in its protocol model. In the case of the ftp some of the packets were seriously broken but theses telent alterts, like the one below, are from a range of systems and all have the same form suggesting that there is something lacking in the model.<BR> <BR> Russell<BR> <BR> <TABLE>  <TBODY><TR bgcolor="#ffbbbb"><TD>META</TD><TD>      <TABLE border="1" width="100%">        <TBODY><TR><TD>SID</TD><TD>CID</TD><TD>TimeStamp</TD><TD>Signature</TD><TD>Sig ID</TD></TR><TR><TD>6</TD><TD>8815382</TD><TD>2007-08-20 16:18:15</TD><TD>telnet_pp: Telnet data encrypted</TD><TD><A href="http://www.snort.org/snort-db/sid.html?sid=2">2</A></TD></TR></TBODY>      </TABLE>      <TABLE border="1" width="100%">        <TBODY><TR><TD>Sensor Hostname</TD><TD>Sensor Interface</TD></TR><TR><TD>monitor-dmzo.isec.auckland.ac.nz</TD><TD>dmz sensor</TD></TR></TBODY>      </TABLE>      </TD></TR><TR bgcolor="#bbffbb"><TD>IP</TD><TD>      <TABLE border="1" width="100%">        <TBODY><TR><TD>Source Address</TD><TD>Dest Address</TD><TD>Ver</TD><TD>Hdr Len</TD><TD>TOS</TD><TD>length</TD><TD>ID</TD><TD>flags</TD><TD>offset</TD><TD>TTL</TD><TD>chksum</TD></TR><TR><TD>130.216.x.yy</TD><TD>216.155.193.135</TD><TD>4</TD><TD>5</TD><TD>0</TD><TD>89</TD><TD>58040</TD><TD>2</TD><TD>0</TD><TD>126</TD><TD>63296</TD></TR></TBODY>      </TABLE>      <TABLE border="1" width="100%">        <TBODY><TR><TD>Resolved Source</TD><TD>Resolved Dest</TD></TR><TR><TD>abbb.ccc.auckland.ac.nz </TD><TD> cs8.msg.dcn.yahoo.com </TD></TR></TBODY>      </TABLE>      </TD></TR><TR bgcolor="#bbbbff"><TD>TCP</TD><TD>      <TABLE border="1" width="100%">        <TBODY><TR><TD>Source Port</TD><TD>Dest Port</TD><TD>Seq</TD><TD>Ack</TD><TD>Offset</TD><TD>Reserved</TD><TD>Flags</TD><TD>Window</TD><TD>Checksum</TD><TD>Urgent Ptr</TD></TR><TR><TD>1262</TD><TD>23</TD><TD>2057010961</TD><TD>1040909924</TD><TD>5</TD><TD>0</TD><TD>24</TD><TD>64816</TD><TD>12746</TD><TD>0</TD></TR></TBODY>      </TABLE>      <TABLE border="1">        <TBODY><TR><TD colspan="4">Options</TD></TR><TR><TD colspan="4">None</TD></TR></TBODY>      </TABLE>      <TABLE border="1">        <TBODY><TR><TD colspan="8">Flags</TD></TR><TR><TD colspan="8"><BR>            </TD></TR><TR><TD>RB 1</TD><TD>RB 0</TD><TD>URG</TD><TD>ACK</TD><TD>PSH</TD><TD>RST</TD><TD>SYN</TD><TD>FIN</TD></TR><TR><TD><BR>            </TD><TD><BR>            </TD><TD><BR>            </TD><TD align="center">X</TD><TD align="center">X</TD><TD><BR>            </TD><TD><BR>            </TD><TD><BR>            </TD></TR></TBODY>      </TABLE>      </TD></TR><TR bgcolor="#bbffff"><TD>DATA</TD><TD>      <TABLE>        <TBODY><TR><TD>            <PRE>594D5347000F0000001D

00C600000000764AB787

3130C080393939C08031

39C080C0803937C08031

C0803437C08032C080


            </PRE>            </TD><TD>            <PRE>YMSG......

......vJ..

10..999..1

9....97..1

..47..2..


            </PRE>            </TD></TR></TBODY>      </TABLE>      </TD></TR></TBODY> </TABLE> <HR> <TABLE>  <TBODY><TR bgcolor="#bbffff"><TD>DATA</TD><TD>      <PRE>YMSG............vJ..10..999..19....97..1..47..2..</PRE>      </TD></TR></TBODY> </TABLE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">-------------------------------------------------------------------------</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">This SF.net email is sponsored by: Splunk Inc.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Still grepping through log files to find problems?<SPAN class="Apple-converted-space">  </SPAN>Stop.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Now Search log events and configuration files using AJAX and a browser.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Download your FREE copy of Splunk now >><SPAN class="Apple-converted-space">  </SPAN><A href="http://get.splunk.com/_______________________________________________">http://get.splunk.com/_______________________________________________</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Snort-sigs mailing list</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">https://lists.sourceforge.net/lists/listinfo/snort-sigs</A></DIV> </BLOCKQUOTE></DIV><BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Lucida Sans; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Lucida Sans; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><BR class="Apple-interchange-newline"><DIV style="font-family: Lucida Sans; ; font-size: 11px; "><BR class="khtml-block-placeholder"></DIV><DIV style="font-family: Lucida Sans; ; font-size: 11px; "><SPAN class="Apple-style-span" style="font-size: 11px; "><SPAN class="Apple-style-span" style="font-size: 11px; ">--</SPAN></SPAN></DIV><DIV style="font-family: Lucida Sans; ; font-size: 11px; "><SPAN class="Apple-style-span" style="font-size: 11px; "><SPAN class="Apple-style-span" style="font-size: 11px; ">joel esler</SPAN></SPAN></DIV><DIV style="font-family: Lucida Sans; ; font-size: 11px; "><SPAN class="Apple-style-span" style="font-size: 11px; "><SPAN class="Apple-style-span" style="font-size: 11px; "><A href="http://demo.sourcefire.com/jesler.pgp.key">http://demo.sourcefire.com/jesler.pgp.key</A></SPAN></SPAN></DIV><DIV style="font-family: Lucida Sans; ; font-size: 11px; "><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN></SPAN> </DIV><BR></DIV></BODY></HTML>