[Snort-sigs] Experimental Streaming audio signatures

Chris Green cmg at ...435...
Fri Mar 22 09:50:11 EST 2002


These is just the most popular vectors I could think of.

All but quicktime detects based on the content-type of the server

The Quicktime detects based on the User Agent of the quicktime plugin.

Please test them out and let see how it goes; Anyone know of any more
popular ones?

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
    (msg: "Possible QuickTime User"; \
      content: "User-Agent: Quicktime";)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    (msg: "Windows Media -- Audio"; \
     content: "Content-type: audio/x-ms-wma\r\n";)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
        (msg: "Windows Media -- Video"; \
         content: "Content-type: video/x-ms-asf\r\n";)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
   (msg:"Shoutcast Redirection to playlist"; \
     content: "Content-type: audio/x-scpls\r\n";)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    (msg:"Icecast Redirection to playlist"; \
     content: "Content-type: audio/x-mpegurl\r\n";)
-- 
Chris Green <cmg at ...435...>
A watched process never cores.





More information about the Snort-sigs mailing list