Snort mailing list archives
Re: Snort and Kazaa 2.0
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 22 Oct 2002 22:52:01 -0500
On Tue, 2002-10-22 at 20:03, Sam Evans wrote:
Based on what we have seen, it no longer uses the 1214 port for it's traffic. (Although, it does use it sometimes.. ) Wierd. Anyway, we have come up with a rule that seems to work very well for the new Kazaa. YMMV though.. This is for snort 1.8.7 (but should work for 1.9.0). alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content: "X-Kazaa"; rev: 1;) What we have seen, is that even though the new Kazaa doesn't use the standard 1214, the protocol still utilizes the X-Kazaa tag for it's transfers. While this rule will not alert you as to when someone is searching for a file, it will alert when someone initiates a transfer session. (Multiple times quite possibly, depending on the packet).
Can you define an offset or some other characteristic that would avoid false positives? I mean, this email alone would trigger that rule... :) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Snort and Kazaa 2.0 Vicente (Oct 22)
- Re: Snort and Kazaa 2.0 Sam Evans (Oct 22)
- Re: Snort and Kazaa 2.0 Frank Knobbe (Oct 22)
- Re: Snort and Kazaa 2.0 Sam Evans (Oct 22)
- Re: Snort and Kazaa 2.0 Frank Knobbe (Oct 22)
- Re: Snort and Kazaa 2.0 Sam Evans (Oct 22)