Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Limewire

From: "James Friesen" <lucretia () telusplanet net>
Date: Thu, 6 Sep 2001 08:29:29 -0600
Hi,

How about a signature to bypass normal method?  I mean, seeing "undefined
code" ICMP errors means little to me, especially if it's part of the normal
connection methodology.  I would be more interested in seeing if someone has
cracked a client or rewrote the stream to affect their own design within the
realm of a normal P2P connection. Warning me of a "Gnutella client" again
doesn't tell me if this is hostile, suspicious, or normal.

Perhaps if I worked in a uptight corporate environment where users could be
swapping dirty pictures I would be very interested in seeing any of this and
logging it, but from a security standpoint without restriction to the users
(activity) I would like to allow (read not be warned) normal activity, but
any other types of activity would be alerted.

Mopheus released an update 1.3.3 this week to address security functions.
To get the update you can download it from someone else who already got it.

Besides the common and well known risks of P2P, has anyone addressed the
functionality or bypass capacity of this and other known software tools that
utilize a similar connection scheme?

Examples of current P2P clients are:

Trillian (this has known bugs currently, but is in beta)
Morpheus - One of the larger of the P2P farms...
Kazaa - This and morpheus use the same connections and I beleive they
inter-com.
LimeWire - the JRE Gnutella client
iMesh - Not too much I can say about this one
Hotline - This uses distinct client/server wares to determine whether your
sharing or getting.
AudioGalaxy - This uses a distinct HTTP protocal for finding and retrieving
files.  They offer their servers as well as the users for downloads.

The first three seem to be the more popular and utilize a interesting
sharing technique.
The latter three I'm not as familiar with.

Thanks,
-----  James Friesen - Integration Specialist
Lucretia Enterprises - info () lucretia ca
www.lucretia.ca

:> -----Original Message-----
:> From: snort-users-admin () lists sourceforge net
:> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Stan
:> Scalsky
:> Sent: Wednesday, September 05, 2001 7:14 PM
:> To: snort-users () lists sourceforge net
:> Subject: Re: [Snort-users] Limewire
:>
:>
:> > Has anyone captured a Limewire session and developed a Snort rule to
:> detect
:> > this specific variant of Gnutella?
:>
:> I find that some of the agents have a specific User-Agent
:> string, LimeWire
:> uses "User-Agent: LimeWire" in its html.
:>
:> -= stan
:>
:>
:>
:> _______________________________________________
:> Snort-users mailing list
:> Snort-users () lists sourceforge net
:> Go to this URL to change user options or unsubscribe:
:> https://lists.sourceforge.net/lists/listinfo/snort-users
:> Snort-users list archive:
:> http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: