Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 4000 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False postive IM/P2P detections (Winny, Tencent QQ)

thomas_brewster
We're seeing quite a few false positive detections with our IM/P2P filter.
Has any one else been experiencing this?

Two node ASL cluster 8.102.

Sample is below;

10:37:18 IM Rule: Tencent QQ TCP
10.100.6.39 : 2351

74.125.91.99 : 443
[ACK PSH] len=403 ttl=126 tos=0x00 srcmac=0:1a:8c:f0:be:42
10:37:28 IM Rule: Tencent QQ TCP
10.100.6.39 : 2353

74.125.91.99 : 443
[ACK PSH] len=403 ttl=126 tos=0x00 srcmac=0:1a:8c:f0:be:42
10:37:36 P2P Rule: Winny TCP
74.117.199.102 : 80

ASL.public.ip.address : 30682
[ACK] len=1420 ttl=122 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:37:39 IM Rule: Tencent QQ TCP
10.100.6.39 : 2354

74.125.91.99 : 443
[ACK PSH] len=403 ttl=126 tos=0x00 srcmac=0:1a:8c:f0:be:42
10:37:45 P2P Rule: Winny TCP
157.166.255.18 : 80

ASL.public.ip.address : 29437
[ACK] len=1500 ttl=53 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:37:49 IM Rule: Tencent QQ TCP
10.100.6.39 : 2355

74.125.91.99 : 443
[ACK PSH] len=403 ttl=126 tos=0x00 srcmac=0:1a:8c:f0:be:42
10:37:55 P2P Rule: Winny TCP
74.117.199.102 : 80

ASL.public.ip.address : 30848
[ACK] len=1420 ttl=122 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:38:01 P2P Rule: Winny TCP
76.13.219.190 : 80

ASL.public.ip.address : 31673
[ACK] len=1500 ttl=57 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:38:08 P2P Rule: Winny TCP
76.13.219.190 : 80

ASL.public.ip.address : 31740
[ACK] len=1500 ttl=57 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:38:08 P2P Rule: Winny TCP
ASL.public.ip.address : 29407

74.125.91.106 : 80
[ACK PSH] len=84 ttl=64 tos=0x00 srcmac=0:1a:8c:f0:be:42
10:38:09 P2P Rule: Winny TCP
157.166.255.13 : 80

ASL.public.ip.address : 31308
[ACK] len=1500 ttl=53 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:38:09 P2P Rule: Winny TCP
157.166.255.13 : 80

ASL.public.ip.address : 31318
[ACK] len=1500 ttl=53 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:38:14 P2P Rule: Winny TCP
74.117.199.102 : 80

ASL.public.ip.address : 31072
[ACK] len=1420 ttl=122 tos=0x00 srcmac=0[:D]:9d:c4:88:3 dstmac=0:1a:8c:f0:be:42
10:38:24 P2P Rule: Winny TCP
ASL.public.ip.address : 30404

85.115.22.9 : 80
[ACK PSH] len=742 ttl=64 tos=0x00 srcmac=0:1a:8c:f0:be:42


This thread was automatically locked due to age.
Parents
  • 0
    Hi thomas_brewster

    We use to have the same issue with oldest version where people not using an application (ie bittorrent,Winny) could see that on the actual report. I am not sure what happened since there in the IM/P2P background.
Reply
  • 0
    Hi thomas_brewster

    We use to have the same issue with oldest version where people not using an application (ie bittorrent,Winny) could see that on the actual report. I am not sure what happened since there in the IM/P2P background.
Children
No Data
Cookie Information Banner