Hugo van der Kooij wrote:
On Fri, 12 Nov 2004, Alex Kirk wrote:
Hugo van der Kooij wrote:
On Fri, 12 Nov 2004, Chich Thierry wrote:
Russell Fulton wrote:
GEN:SID 1:2586
Message P2P eDonkey transfer
Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (msg:"P2P eDonkey
transfer"; flow:established; content:"|E3|"; depth:1;
reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:1;)
I think that the any definition should be a range for high ports
(1024-65535). This would prevent most false positives with normal
applications.
Actually, Hugo, specifying this sort of a high port range is likely to
generate *more* false positives.
I fail to see why
Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (....
would have less false positives compared to
Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET 1024:65535 (....
To me it would seem I would at least not be bothered by my traffic coming
from port 4242 going to a remote webserver or imaps server or ....
(anything below port 1024).
Hugo.
Actually, it would be because I mis-read your mail, and thought that you
were proposing 1024:65535 on both sides, a la $HOME_NET 1024:65535 <>
$EXTERNAL_NET 1024:65535. You were correct, I just misinterpreted what
you were saying there.
Alex Kirk
Research Analyst
Sourcefire, Inc.
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
