Jeff Kell wrote:
And P2P searches drive sfportscan nuts, making it essentially useless here.
You're not referring to Skype are you? Man, does that thing RUIN many
network security tests!
We *used to* trigger alerts on internal IPs portscanning either many
Internet hosts or many Internet port numbers - it *used to* indicate
either a staff member portscanning some Internet range - or was a sign
of a trojan infection. Ever since Skype showed up (and we didn't
formally ban it - as it is a damn fine application), we've had to drop
such tests as Skype does just that. It makes many simultaneous
connections to many Internet addresses on random port numbers - totally
impossible to classify.
What makes it worse is that it doesn't learn from it's environment. We
do egress filtering and the only way Skype can work on our network is
via our proxies - but that doesn't stop it trying to get out directly -
even after it's figured out to use our proxies :-( I have reported this
issue to them - well - dropped a request into a blackhole appears to be
what happened... Anyway, way off topic.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
