Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: P2P rule not working

From: Jeff <jcoppock1 () attbi com>
Date: Wed, 9 Apr 2003 16:27:46 -0700
Jimmy Hernandez, 2003-Apr-09 14:56 -0700:

Hi,

 I was monitoring my alert file to see if the P2P rule was being
triggered by visiting the kazaa website or by launching the kazaa
program and nothing was triggered. All the other rules that I am
currently using are working just fine. I am particularly interested in
rule 1318

http://www.snort.org/snort-db/sid.html?id=1383

alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack
(kazaa/morpheus) GET request"; flow:to_server,established; content:"GET
"; depth:4; reference:url,www.musiccity.com/technology.htm;
reference:url,www.kazaa.com; classtype:protocol-command-decode;
sid:1383; rev:3;)

I do not see a warning or error when I run snort for the p2p.rules. But
there is no alert when I visit the site or even download a file. If
downloading I notice (with netstat) that the established port is 2816
and the TIME_WAIT is 1214. Any thoughts? Is anyone having the same
issue?


This rule is written for kazaa 1.x where you are likely running kazaa
2.x.  The newer kazaa changed the protocol to randomize the ports
used, no longer fixed to tcp:1214.  It also does some encoding of the
tcp streams to pass the data around.  Essentially, they made it very
difficult to detect kazaa activity.

I haven't seen anyway to detect it consistantly yet.  But I'm still
looking.

You could probably write a rule to detect the initial logon using
udp:1109.  But everything that is random.

jc

-- 
Jeff Coppock            Systems Engineer
Diggin' Debian          Admin and User


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: