List Info

Thread: FPs on sid 2003020 TLS/SSL Encrypted Application Data on Unusual Port
FPs on sid 2003020 TLS/SSL Encrypted Application Data on Unusual Port
country flaguser name
United States		 2007-06-05 07:56:41 
This signature is firing on encrypted AOL traffic (AOL
webmail I think).  Most source addresses are in the
'blue.aol.com' family.

You might want to exclude port 9001 as one of the
"Known SSL" ports with a
"flowbits:set,BS.SSL.Known.Port;" keyword like the
other excluded rules (e.g., sids 2003026-2003029), like:

> alert tcp any any -> any 8000
(msg:"BLEEDING-EDGE POLICY Known SSL traffic on port
9001 being excluded from SSL Alerts";
flow:established,to_server; flowbits:noalert;
flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious;
sid:200xxxx; rev:2;)

Jeff

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
Re: FPs on sid 2003020 TLS/SSL Encrypted Application Data on Unusual Port
country flaguser name
United States		 2007-06-08 23:15:56 
Got it, thanks Jeff. Added the rule to do so!

Matt

Jeff Kell wrote:
> This signature is firing on encrypted AOL traffic (AOL
webmail I think).  Most source addresses are in the
'blue.aol.com' family.
> 
> You might want to exclude port 9001 as one of the
"Known SSL" ports with a
"flowbits:set,BS.SSL.Known.Port;" keyword like the
other excluded rules (e.g., sids 2003026-2003029), like:
> 
>> alert tcp any any -> any 8000
(msg:"BLEEDING-EDGE POLICY Known SSL traffic on port
9001 being excluded from SSL Alerts";
flow:established,to_server; flowbits:noalert;
flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious;
sid:200xxxx; rev:2;)
> 
> Jeff
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )