11018-eDonkey Activity

darin.marais · ‎11-24-2003

after an update for a sensors 3.1(5) to s62, we are receiving a large amount of events for the new signature 11018-eDonkey Activity, around 12k/hr The source of the alarm is a proxy server on the network. Has any seen or noticed any false positives for this alarm?

mcerha · ‎11-24-2003

With 3.1, it possible for the sensor to get the actual client and server reversed while monitoring a TCP stream. It may be possible for the proxy server to return traffic to the actual client that happens to be using one of the eDonkey ports (4242,4661,4662) as an ephemeral port for an application that matches the pattern for eDonkey traffic. The best solution is to create a filter with the proxy server as a source for this alarm. 4.x sensors should not see this problem.

darin.marais · ‎04-19-2004

I have now upgraded the sensors to version 4.1 (3) but I am still have the same problem where I am receiving zillions of events for the signature ID: 11018.

I have captured some data by enabling iplog for the signature.

Could someone from the Cisco help by taking a look at the data that I have capture and perhaps be able to confirm the events are or are not false?

I could mail the data capture offline

mcerha · ‎04-19-2004

You can email the traffic samples to me at mcerha@cisco.com.