I am seeing this as well.
I believe we are getting a lot of false positives.
This signature matches against one or more of the following strings:
"\x16\x03\x00\x00\x61\x01\x00\x00\x5d\x03\x00"
"\x00\x05\x00\x0a\x00\x09\x00\x64\x00\x62\x00\x03\x00\x06\x00\x13"
"\x16\x03\x00\x00\x4a\x02\x00\x00\x46\x03\x00
For example here is an SSL handshake between two INTERNAL hosts (one of which is running an https server). This does match the 3rd string above, but we know for a fact this is not Ultrasurf.
char peer0_0[] = {
0x16, 0x03, 0x00, 0x00, 0x4a, 0x02, 0x00, 0x00,
0x46, 0x03, 0x00, 0xa9, 0x85, 0x11, 0xec, 0xdf,
0xc7, 0x2e, 0x72, 0x75, 0x91, 0x5c, 0x0c, 0x1c,
0x4d, 0xa3, 0x35, 0xd1, 0xbb, 0x45, 0xd5, 0xed,
0x1d, 0x67, 0x20, 0x68, 0x3d, 0x0d, 0xb5, 0x5c,
0x71, 0x1a, 0xfe, 0x20, 0xa6, 0xdf, 0xb7, 0x66,
0x3a, 0xfd, 0xfe, 0xdf, 0x02, 0xf0, 0xfa, 0x2a,
0xb0, 0xae, 0x34, 0xdb,
/snip
No comments:
Post a Comment