p2p bird-dog rules

[David Bianco <bianco () jlab org>]

Mike Shaw writes:
> Has anyone developed a comprehensive list of snort rules for catching any 
> and all P2P filesharing traffic--at least as far as they are 
> 'catchable'?  I know there's a generic gnutella one, but we're having to 
> clamp down hard on this stuff, and it would be cool if someone's already 
> written some for the rest.

I use the following for Gnutella and Kazaa:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella connection attempt"; flags:A+; content:"GNUTELLA 
CONNECT"; depth:20; classtype:misc-activity; rev:3;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 1214 (msg:"P2P Kazaa cleartext traffic"; flags:A+; content:"X-Kazaa-Username"; 
classtype:misc-activity; rev:1;)

The Gnutella rule works very well, but I'm still wondering about the Kazaa
rule.  The problem is that much of the traffic seems to be encrypted (or
at least obfuscated) so there aren't very many cleartext strings to 
check for.  On the other hand, it doesn't seem to have any option right
now to change the default port, which might make up for that. 

If anyone can improve on these, especially the Kazaa rule, I'm
interested in hearing about it.

           David

-- 
David J. Bianco, GSEC           <bianco () jlab org>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users