Snort mailing list archives

Re: Snort on W2K: Rules for AudioGalaxy

From: Chris Green <cmg () uab edu>
Date: Thu, 21 Feb 2002 14:22:39 -0600

Brian Ertel <bsertel () amherst edu> writes:

Does anyone have any good rules
for monitoring AudioGalaxy traffic?



02/21-14:
xxx.xxx.xxx.xxx:2190 -> 64.245.58.230:21 TCP TTL:127 TOS:0x0 ID:55423 IpLen:20 DgmLen:45 DF
***AP*** Seq: 0x595495  Ack: 0xC3A358DA  Win: 0xFD40  TcpLen: 20
45 5F 00 03 05                                   E_...

Looks like lots of them do keep alives of that exact packet


so

alert tcp $HOME_NET any -> 64.245.58.0/23 any \
    (content: "|45 5F 00 03 05|"; offset: 0; depth 5;
     msg: "Audio Galaxy keepalive?")

Should give you a good idea of machines doing audiogalaxy.

Since you work at a school, I have probably the same problem of
tracking hoggish users right now and you may wish to try out
http://ipaudit.sourceforge.net to find bandwidth hogs.  It's designed
for that :-)
-- 
Chris Green <cmg () uab edu>
Fame may be fleeting but obscurity is forever.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on W2K: Rules for AudioGalaxy Brian Ertel (Feb 21)
- Re: Snort on W2K: Rules for AudioGalaxy Chris Green (Feb 21)
- <Possible follow-ups>
- RE: Snort on W2K: Rules for AudioGalaxy Schooley, Chris (Feb 21)