Re: Stormy P2P bot Sigs -- may be SKYPE ?

Those rules are new... but on the flip side, I've not been able to get
them to trip on intentional skype traffic here.

I am wondering more if skype is using edonkey to pull updates or
something, but my client isn't needing an update?

Matt

Russell Fulton wrote:
> 
> Matt Jonkman wrote:
>> Ummm... that's a little scary.
>>
>> To be honest, when I was looking at those stormy variants the traffic
>> didn't exactly conform to edonkey, but was close. It's VERY possible it
>> may have been skype and I've written for the wrong protocol.
>>
>> Let me look into it and see what'll match. Anyone else seeing skype hits?
>>   
> 
> I've just followed up another machine that was getting lots of hits. 
> This machine belongs to a senior physics professor who I have known for
> years.  There is no Edonkey or other file sharing p2p software on the
> box and since it is a Mac it is unlikely to be infected with peacomm ;) 
> and he was using SKYPE at the time of my alerts.
> 
> I suspect that the p2p rules are not widely used and those that do
> monitor for p2p also ban SKYPE which we don't.
> 
> What puzzles me is why this has just started happening -- or are these
> rules new?
> 
> 
> Russell.
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc