Snort mailing list archives
Re: morpheus signature?
From: Peter Bates <Peter.Bates () lshtm ac uk>
Date: Sat, 01 Sep 2001 02:03:59 +0100
Hello all... --------------------------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362
"Olensky, Sven" <sol () intelispan net> 31/08/01 18:53:19 >>>
has anybody found a reliable Morpheus (P2P software) signature yet? I couldnt find anything on snort.org.
I spent a day looking at a few P2P programmes with a view to trying to make signatures for them recently... my lack of knowledge combined with ethereal and snort itself to monitor the traffic resulted in... not much. I wrote one rule based on the fact that the traffic (incoming) generally looks like: alert tcp $EXTERNAL_NET 1214 -> $HOME_NET !80 (msg:"Kazaa traffic?"; flags:PA+;) As the software opens up a 'pseudo' Web-server on port 1214, that's probably the best thing to look for... a couple of minutes after adding this rule I found my first user running the software... Also just generally blocking TCP/1214 stops both Kazaa/Morpheus even starting up, seeing as that is the port they seem to rely on. I find AudioGalaxy a lot more interesting, but only managed to squeeze out: alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"Audiogalaxy proxy test"; flags:PA+; content: "proxy test";) as an indicator that someone was starting up the AG software... Both of these are obviously simplistic and rough, being my first attempts, I'd be interested in seeing any other similar rules from others. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- morpheus signature? Olensky, Sven (Aug 31)
- <Possible follow-ups>
- Re: morpheus signature? Peter Bates (Aug 31)