|
|
Re: Stormy P2P bot Sigs -- may be SKYPE ?: msg#00166security.ids.snort.bleedingsnort
Matt Jonkman wrote: > Finding more detail, this does indeed look like edonkey traffic on an > unusual port. > > I'm working on making better sigs, and might pull these shortly. If > anyone is interested here are the references I'm looking at: > > http://www.giac.org/certified_professionals/practicals/gcih/0446.php > ftp://ftp.kom.e-technik.tu-darmstadt.de/pub/papers/HB02-1-paper.pdf > > We may just need to redo the existing edonkey sigs, which look only at > ports 4660:4799. This trojan runs with a source port of 7871, which is > rather unusual... > > Any edonkey experts out there? > > Hmmmm... My edonkey alerts have gone crazy recently. I know that at least some of the machines (the ones I checked ) are not doing any p2p file sharing, nor is there any signs of infection or compromise. All 3 however were running Skype. Is it possible that changes have been made to the skype protocol which results in a lot of packets with 0XE3 at the start? Russell |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: P0F in Snort?: 00166, Bamm Visscher |
|---|---|
| Next by Date: | Unusually High Client DNS Query Volume -- lots of hits.: 00166, Russell Fulton |
| Previous by Thread: | Re: Stormy P2P bot Sigsi: 00166, Matt Jonkman |
| Next by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00166, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |