Snort mailing list archives
Re: Snort on W2K: Rules for AudioGalaxy
From: Chris Green <cmg () uab edu>
Date: Thu, 21 Feb 2002 14:22:39 -0600
Brian Ertel <bsertel () amherst edu> writes:
Does anyone have any good rules for monitoring AudioGalaxy traffic?
02/21-14: xxx.xxx.xxx.xxx:2190 -> 64.245.58.230:21 TCP TTL:127 TOS:0x0 ID:55423 IpLen:20 DgmLen:45 DF ***AP*** Seq: 0x595495 Ack: 0xC3A358DA Win: 0xFD40 TcpLen: 20 45 5F 00 03 05 E_... Looks like lots of them do keep alives of that exact packet so alert tcp $HOME_NET any -> 64.245.58.0/23 any \ (content: "|45 5F 00 03 05|"; offset: 0; depth 5; msg: "Audio Galaxy keepalive?") Should give you a good idea of machines doing audiogalaxy. Since you work at a school, I have probably the same problem of tracking hoggish users right now and you may wish to try out http://ipaudit.sourceforge.net to find bandwidth hogs. It's designed for that :-) -- Chris Green <cmg () uab edu> Fame may be fleeting but obscurity is forever. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on W2K: Rules for AudioGalaxy Brian Ertel (Feb 21)
- Re: Snort on W2K: Rules for AudioGalaxy Chris Green (Feb 21)
- <Possible follow-ups>
- RE: Snort on W2K: Rules for AudioGalaxy Schooley, Chris (Feb 21)