Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Soulseek Client Login

I have an interesting observation. The signature Soulseek Client Login has triggered quite often when the victim’s address is a Nachi infected machine.

The signature is triggered when the attackers port is 135 and the victim’s port is TCP port 2234 or 2240.

Has any one else on the list seen this?

Perhaps some one could try explaining why signature is triggered.

What is the regular expression looking for in the signature?

  • Other Security Subjects
New Member

Re: Soulseek Client Login

I've seen this activity, but not from src port 135. In my case the activity is from src port 80 to dst port 2234. Also, I can't find any cooresponding entry in the Firewall log to correlate to the alarm. There is no Nachi activity in our network that I'm aware of.

I'd also like to know what signature string expression triggers this alarm. Is this a defective signature perhaps?

This widget could not be displayed.