Re: I am popular today...

[epadin () WAGWEB COM (Ed Padin)]

If anyone wants a good way to detect napster usage (as well as lots of other
shenanigans) you might try using snort IDS.
http://myweb.clark.net/~roesch/

"A Lightweight Intrusion Detection System"

Jim Forster wrote some snort rules to report on Napster usage.
http://snort.rapidnet.com/

Here are the Napster Rules that show ports and content. You can adapt this
to your own IDS. It triggers for me whenever I go on napster (I only use
napster for research purposes ;^>  )

alert tcp any any <> any 6699 (msg:"Napster Client Data"; flags:PA;
content:".mp3"; nocase;)
alert tcp any any <> any 8888 (msg:"Napster 8888 Data"; flags:PA;
content:".mp3"; nocase;)
alert tcp any any <> any 7777 (msg:"Napster 7777 Data"; flags:PA;
content:".mp3"; nocase;)
alert tcp any any <> any 6666 (msg:"Napster 6666 Data"; flags:PA;
content:".mp3"; nocase;)
alert tcp any any <> any 5555 (msg:"Napster 5555 Data"; flags:PA;
content:".mp3"; nocase;)
alert tcp any any <> any 4444 (msg:"Napster 4444 Data"; flags:PA;
content:".mp3"; nocase;)
alert tcp any any <> any 8875 (msg:"Napster Server Login"; flags:PA;
content:"anon () napster com";)

> -----Original Message-----
> From: Rod MacPherson [mailto:rmacphe () COMPTON NET]
> Sent: Tuesday, May 02, 2000 4:06 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: I am popular today...
>
>
> Napster runs on a (semi)randomly chosen port. It could very
> well be 6688 on
> one of your machines.
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Dirk Koopman
> Sent: Saturday, April 29, 2000 7:51 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: I am popular today...
>
>
> If that is what is running on port 6688 then probably yes,
> although very
> close questioning of the users seem to indicate that napster
> "isn't being
> used".
>
> There does seem to be a awful lot of activity between one of
> my machines and
> the various icmp addresses on port 6688. I thought napster ran on a
> different
> port?
>
> On 29-Apr-2000 Ryan Sweat wrote:
> >      You or one of your machines have Napster running ?  This is the
> likely
> > cause for the ping requests.  Napster's clients ping the
> host when making
> a
> > query to find the response time of that host.
> >
> > Ryan
> > ----- Original Message -----
> > From: "Dirk Koopman" <djk () TOBIT CO UK>
> > To: <INCIDENTS () SECURITYFOCUS COM>
> > Sent: Friday, April 28, 2000 3:45 AM
> > Subject: I am popular today...
> >
> >
> > > Are ALL these people _really_ interested in the response
> time of my class
> > C?
> > > Or is this some kind of of (pointless) DoS? Has one of
> hidden M$ machines
> > > been acquired by some trojan?
> > >
> > > Are you one of these?
> > > ---------------------------- cut
> > here --------------------------------------
> > > Apr 27 16:44:24 gate iplog[10085]: ICMP: echo from
> > cgowave-33-48.cgocable.net
> > > (8 bytes)
> > > Apr 27 16:46:23 gate iplog[10085]: ICMP: echo from
> i0567.vwr.wanadoo.nl
> (8
> > > bytes)
> > > Apr 27 17:42:49 gate iplog[10085]: ICMP: echo from
> > > csvr4068.st-poelten.cso.net (8 bytes)
> > > Apr 27 18:07:01 gate iplog[10085]: ICMP: echo from
> A5a74.pppool.de (8
> > bytes)
>
> --
> Dirk-Jan Koopman, Tobit Computer Co Ltd
> At the source of every error which is blamed on the computer
> you will find
> at least two human errors, including the error of blaming it on the
> computer.