Snort mailing list archives
p2p bird-dog rules
From: David Bianco <bianco () jlab org>
Date: Wed, 24 Apr 2002 13:06:42 -0400
Mike Shaw writes:
Has anyone developed a comprehensive list of snort rules for catching any and all P2P filesharing traffic--at least as far as they are 'catchable'? I know there's a generic gnutella one, but we're having to clamp down hard on this stuff, and it would be cool if someone's already written some for the rest.
I use the following for Gnutella and Kazaa: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella connection attempt"; flags:A+; content:"GNUTELLA CONNECT"; depth:20; classtype:misc-activity; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1214 (msg:"P2P Kazaa cleartext traffic"; flags:A+; content:"X-Kazaa-Username"; classtype:misc-activity; rev:1;) The Gnutella rule works very well, but I'm still wondering about the Kazaa rule. The problem is that much of the traffic seems to be encrypted (or at least obfuscated) so there aren't very many cleartext strings to check for. On the other hand, it doesn't seem to have any option right now to change the default port, which might make up for that. If anyone can improve on these, especially the Kazaa rule, I'm interested in hearing about it. David -- David J. Bianco, GSEC <bianco () jlab org> Thomas Jefferson National Accelerator Facility The views expressed herein are soley those of the author and not those of SURA/Jefferson Lab or the US DOE. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- p2p bird-dog rules Mike Shaw (Apr 24)
- p2p bird-dog rules David Bianco (Apr 24)
- Re: p2p bird-dog rules Erek Adams (Apr 24)