Re: morpheus signature?

[Peter Bates <Peter.Bates () lshtm ac uk>]

Hello all...

-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362

> > > "Olensky, Sven" <sol () intelispan net> 31/08/01 18:53:19 >>>

> has anybody found a reliable Morpheus (P2P software) signature yet? I
> couldnt find anything on snort.org.

I spent a day looking at a few P2P programmes with a view to trying to
make signatures for them recently... my lack of knowledge combined 
with ethereal and snort itself to monitor the traffic resulted in... not much.

I wrote one rule based on the fact that the traffic (incoming) generally looks
like:

alert tcp $EXTERNAL_NET 1214 -> $HOME_NET !80 (msg:"Kazaa traffic?"; flags:PA+;)

As the software opens up a 'pseudo' Web-server on port 1214, that's probably the best thing to look for... a couple of 
minutes after adding this rule I found my first user running the software...

Also just generally blocking TCP/1214 stops both Kazaa/Morpheus even starting up, seeing as that is the port they seem 
to rely on.

I find AudioGalaxy a lot more interesting, but only managed 
to squeeze out:

alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"Audiogalaxy proxy test"; flags:PA+; content: "proxy test";)

as an indicator that someone was starting up the AG software...

Both of these are obviously simplistic and rough, being my first attempts, I'd be interested in seeing any other 
similar rules from others.




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users