A bunch of FP's with Skype? (ET rules)

[NA <dustypath () comcast net>]

Hi all,

I was using Skype for 20 minutes and came up with all this via Base:

[url <http://doc.emergingthreats.net/bin/view/Main/2003317>] [url
<http://www.giac.org/certified_professionals/practicals/gcih/0446.php>]
[local <http://192.168.77.37/base/signatures/2003317.txt>] [EmThreats
<http://docs.emergingthreats.net/2003317>] ET P2P Edonkey Search Request
(any type file) policy-violation 4
<http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=154&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%)
  
    sid 2003317
 [url <http://doc.emergingthreats.net/bin/view/Main/2003320>] [url
<http://www.giac.org/certified_professionals/practicals/gcih/0446.php>]
[local <http://192.168.77.37/base/signatures/2003320.txt>] [EmThreats
<http://docs.emergingthreats.net/2003320>] ET P2P Edonkey Search Results
policy-violation 6
<http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=153&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%)<http://192.168.77.37/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=153&sig_type=1>
                        sid 2003317
[url <http://doc.emergingthreats.net/bin/view/Main/2003310>] [url
<http://www.giac.org/certified_professionals/practicals/gcih/0446.php>]
[local <http://192.168.77.37/base/signatures/2003310.txt>] [EmThreats
<http://docs.emergingthreats.net/2003310>] ET P2P Edonkey Publicize File
policy-violation 2
<http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=150&sig_type=1&submit=Query+DB&num_result_rows=-1>(1%)
                           sid 2003310
 [url <http://doc.emergingthreats.net/bin/view/Main/2003313>] [url
<http://www.giac.org/certified_professionals/practicals/gcih/0446.php>]
[local <http://192.168.77.37/base/signatures/2003313.txt>] [EmThreats
<http://docs.emergingthreats.net/2003313>] ET P2P Edonkey Connect Reply
and Server List policy-violation 5
<http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=149&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%)
      sid 2003313
 [url <http://doc.emergingthreats.net/2009971>] [url
<http://emule-project.net>] [local
<http://192.168.77.37/base/signatures/2009971.txt>] [EmThreats
<http://docs.emergingthreats.net/2009971>] ET P2P eMule KAD Network
Hello Request (2) policy-violation 5
<http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=151&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%)
   
    sid 2009971
 [url <http://doc.emergingthreats.net/bin/view/Main/2003315>] [url
<http://www.giac.org/certified_professionals/practicals/gcih/0446.php>]
[local <http://192.168.77.37/base/signatures/2003315.txt>] [EmThreats
<http://docs.emergingthreats.net/2003315>] ET P2P Edonkey Search Reply
policy-violation 5
<http://192.168.77.37/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=152&sig_type=1&submit=Query+DB&num_result_rows=-1>(2%)
                           sid 2003315


No files were passed. My reaction is to look at turning off some or most
if not all ET policy-violation rules, or at least, an FP incident at a
time. Any comments would be appreciated....

Thx
Bill B







------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!