On Fri, 12 Nov 2004, Alex Kirk wrote:
> Hugo van der Kooij wrote:
> >On Fri, 12 Nov 2004, Chich Thierry wrote:
> >>Russell Fulton wrote:
> >>>GEN:SID 1:2586
> >>>Message P2P eDonkey transfer
> >>>Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (msg:"P2P eDonkey
> >>>transfer"; flow:established; content:"|E3|"; depth:1;
> >>>reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:1;)
> >I think that the any definition should be a range for high ports
> >(1024-65535). This would prevent most false positives with normal
> Actually, Hugo, specifying this sort of a high port range is likely to
> generate *more* false positives.
I fail to see why
Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (....
would have less false positives compared to
Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET 1024:65535 (....
To me it would seem I would at least not be bothered by my traffic coming
from port 4242 going to a remote webserver or imaps server or ....
(anything below port 1024).
I hate duplicates. Just reply to the relevant mailinglist.
Don't meddle in the affairs of magicians,
for they are subtle and quick to anger.