Snort mailing list archives
Re: Kazaa P2P Rules
From: Sam Evans <sam () neuroflux com>
Date: Tue, 22 Apr 2003 13:42:20 -0400 (EDT)
I've run into the same problem with the P2P GET -- I've disabled that rule as it's worthless in it's current state. As far as Kazaa goes, I have written a rule that seems to work quite well... Here's what I have: alert tcp any 1024: -> any 1024: (msg: "P2P Kazaa File Get"; content: "X-Kazaa"; sid: 1000000; rev:1;) As far as Bearshare goes, that's a Gnutella based client, and they've changed their protocol to the point where it's pretty difficult to pick it out of the network traffic. But, what I have also done is pick out the Bearshare address space, and then create a rule based on traffic going to their network on ports > 80.. This would identify clients connecting to the Bearshare supernodes (since this has to be done initially to get a list of supernodes).. So, a rule could look like: alert tcp any any -> 208.239.76.0/24 1024: (msg: "Possible Bearshare Client Connection"; sid: 1000001; rev:1;) Anyhow, YMMV.. -Sam On Tue, 22 Apr 2003, Allan Dover wrote:
Hey Erek and Gang, I tried using the P2P rules, to catch Kazaa users on my network. When using the p2p rules i see allot of port 25 activity for mail. usually a P2P Get command. Anyone know a way of addressing Kazaa and Bearshare to be monitored/triggered in Snort. Allan Dover Systems Administrator ################################################### This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNMP? larosa, vjay (Apr 22)
- Kazaa P2P Rules Allan Dover (Apr 22)
- Re: Kazaa P2P Rules Sam Evans (Apr 22)
- Re: SNMP? Glenn Mansfield Keeni (Apr 23)
- Re: SNMP? Martin Olsson (May 23)
- <Possible follow-ups>
- RE: SNMP? larosa, vjay (Apr 23)
- Kazaa P2P Rules Allan Dover (Apr 22)