[Snort-sigs] FW: Trying to detect Morpheus and Streaming mult i.

O'Flynn, Derek DOFlyn at ...466...
Fri Mar 22 10:28:09 EST 2002


Here is some of the rules I'm currently using to detect Gnutella/Kazaa/WinMX

The winmx rule is rather noisy since it just picks up the packets using the
WinMX port and all the data that's transferred.  If someone can build a
refined rule, that would be appreciated.

The gnutella/kazaa rules check for the GET statement and returns the variant
of the client used and the file that is being downloaded.  There are two
rules for each, one to check inbound GET and outbound GET

FYI: Morpheus is now using the gnutella network.
Gnutella has a variety of clients, this rule catches those.

#KAZAA NETWORK ALERT
alert tcp $EXTERNAL_NET !80 -> $HOME_NET 1214 (msg:"P2P - Kazaa Network -
GET"; flags:A+; content:"GET "; depth:4;
reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com;
classtype:protocol-command-decode; sid:1383; rev:1;)
alert tcp $HOME_NET !80 -> $EXTERNAL_NET 1214 (msg:"P2P - Kazaa Network -
GET"; flags:A+; content:"GET "; depth:4;
reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com;
classtype:protocol-command-decode; sid:1383; rev:1;)

#GNUTELLA NETWORK ALERT
alert tcp $HOME_NET !80 > $EXTERNAL_NET 6346 (msg:"P2P - Gnutella Network -
GET"; flags:AP+; content:"GET "; depth:4;)
alert tcp $EXTERNAL_NET !80 > $HOME_NET 6346 (msg:"P2P - Gnutella Network -
GET"; flags:AP+; content:"GET "; depth:4;)

#WINMX NETWORK ALERT
alert tcp $HOME_NET !80 -> $EXTERNAL_NET 6699 (msg:"WinMX Network
Connection"; flags:S;)

Thanks,
Derek O'Flynn


-----Original Message-----
From: Benjamin Madsen [mailto:benmadsenx at ...396...]
Sent: Friday, March 22, 2002 10:38 AM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] FW: Trying to detect Morpheus and Streaming
mult i.


Wouldn't it be as simple as blocking the RTP protocol?  or are you looking 
to find downloads of AVI, MPG and QT files as well?

-Ben

At 04:08 PM 3/21/2002 -0500, you wrote:
>"Madziarczyk, Jonathan" <than at ...460...> writes:
>
> > Thanks Chris, I had an older copy of the rules.  I just got the latest
copy
> > and it looks like this should solve my Morpheus/Kazaa issue.
> >
> > With regards to the streaming, I think for the time being I'm looking
for
> > RealPlayer/MS media player and Qtime.  Is there a rule already out
there?
> >
>
>No, there isn't but since there is a demand for it, I just added it to
>my TODO list
>--
>Chris Green <cmg at ...435...>
>"Yeah, but you're taking the universe out of context."


_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list