[Snort-sigs] FW: Trying to detect Morpheus and Streaming mult i.

Madziarczyk, Jonathan than at ...460...
Thu Mar 21 12:58:52 EST 2002


Thanks Chris, I had an older copy of the rules.  I just got the latest copy
and it looks like this should solve my Morpheus/Kazaa issue.

With regards to the streaming, I think for the time being I'm looking for
RealPlayer/MS media player and Qtime.  Is there a rule already out there?

JonM


-----Original Message-----
From: Chris Green [mailto:cmg at ...435...] 
Sent: Thursday, March 21, 2002 1:46 PM
To: Madziarczyk, Jonathan
Cc: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] FW: Trying to detect Morpheus and Streaming multi.

"Madziarczyk, Jonathan" <than at ...460...> writes:

> Hi, I think this is the right place for this....
>  
> 1)     I'm trying to find a way of detecting P2P file sharing programs
such
> as Kazaa and Morpheus.  I see the sig for Gnutella and it appears to be
> working.  Is there on for these other programs? (from what I can tell,
Kazaa
> and Morpheus use tcp 1417 to make an initial conn).

Look at policy.rules. tcp/1214 HTTP GET area pretty good inidicator.   
>  
> 2)     I'm also trying to detect streaming multimedia coming into my
network
> (I assume this is a multicast of some kind).  Is there any sigs out there
> that will check this for me?

Do you support Multicast coming onto your network?  I haven't heard of
many non-edu's that have MBONE style broadcasts

Do you know what kind of client they are using?

Real Player/MS Media Server/Quicktime servers are the ones I think of
and shoutcast.

>  
> Thanks in advance for you help!
>  
> JonM

-- 
Chris Green <cmg at ...435...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-sigs mailing list