![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: Limewire
From: "James Friesen" <lucretia () telusplanet net>
Date: Thu, 6 Sep 2001 08:29:29 -0600
Hi, How about a signature to bypass normal method? I mean, seeing "undefined code" ICMP errors means little to me, especially if it's part of the normal connection methodology. I would be more interested in seeing if someone has cracked a client or rewrote the stream to affect their own design within the realm of a normal P2P connection. Warning me of a "Gnutella client" again doesn't tell me if this is hostile, suspicious, or normal. Perhaps if I worked in a uptight corporate environment where users could be swapping dirty pictures I would be very interested in seeing any of this and logging it, but from a security standpoint without restriction to the users (activity) I would like to allow (read not be warned) normal activity, but any other types of activity would be alerted. Mopheus released an update 1.3.3 this week to address security functions. To get the update you can download it from someone else who already got it. Besides the common and well known risks of P2P, has anyone addressed the functionality or bypass capacity of this and other known software tools that utilize a similar connection scheme? Examples of current P2P clients are: Trillian (this has known bugs currently, but is in beta) Morpheus - One of the larger of the P2P farms... Kazaa - This and morpheus use the same connections and I beleive they inter-com. LimeWire - the JRE Gnutella client iMesh - Not too much I can say about this one Hotline - This uses distinct client/server wares to determine whether your sharing or getting. AudioGalaxy - This uses a distinct HTTP protocal for finding and retrieving files. They offer their servers as well as the users for downloads. The first three seem to be the more popular and utilize a interesting sharing technique. The latter three I'm not as familiar with. Thanks, ----- James Friesen - Integration Specialist Lucretia Enterprises - info () lucretia ca www.lucretia.ca
:> -----Original Message----- :> From: snort-users-admin () lists sourceforge net :> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Stan :> Scalsky :> Sent: Wednesday, September 05, 2001 7:14 PM :> To: snort-users () lists sourceforge net :> Subject: Re: [Snort-users] Limewire :> :> :> > Has anyone captured a Limewire session and developed a Snort rule to :> detect :> > this specific variant of Gnutella? :> :> I find that some of the agents have a specific User-Agent :> string, LimeWire :> uses "User-Agent: LimeWire" in its html. :> :> -= stan :> :> :> :> _______________________________________________ :> Snort-users mailing list :> Snort-users () lists sourceforge net :> Go to this URL to change user options or unsubscribe: :> https://lists.sourceforge.net/lists/listinfo/snort-users :> Snort-users list archive: :> http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Limewire Joe Lawson (Sep 05)
- Re: Limewire rottz (Sep 05)
- Re: Limewire Stan Scalsky (Sep 05)
- RE: Limewire James Friesen (Sep 06)