|
|
Re: Stormy P2P bot Sigs -- may be SKYPE ?: msg#00179security.ids.snort.bleedingsnort
Russell Fulton wrote: > Hmmmm... My edonkey alerts have gone crazy recently. I know that at > least some of the machines (the ones I checked ) are not doing any p2p > file sharing, nor is there any signs of infection or compromise. All 3 > however were running Skype. Is it possible that changes have been made > to the skype protocol which results in a lot of packets with 0XE3 at the > start? Looked into some basic skype pcaps and they shouldn't be triggering the edonkey sigs. Could skype be using edonkey to pull updates or something? Could you turn off skype on a few of those and see if the hits persist? I'd definitely like to get to the bottom of this one. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: P0F in Snort?: 00179, Matt Jonkman |
|---|---|
| Next by Date: | New Web Sigs: 00179, Matt Jonkman |
| Previous by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?i: 00179, Matt Jonkman |
| Next by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00179, Russell Fulton |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |