[Snort-sigs] Napster Sigs

Dell, Jeffrey JDell at ...155...
Mon May 20 07:25:04 EDT 2002


The following signatures have established twice in the flow statement. One
of these should be removed and possibly replaced with a to_server or
to_client

alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client
Data"; flow:established,established; content:".mp3"; nocase;
classtype:misc-activity; sid:563;  rev:4;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client
Data"; flow:established,established; content:".mp3"; nocase;
classtype:misc-activity; sid:564;  rev:4;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server
Login"; flow:established,established; content:"anon at ...597...";
classtype:misc-activity; sid:565;  rev:4;)

Should be:

alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client
Data"; flow:established; content:".mp3"; nocase; classtype:misc-activity;
sid:563; rev:5;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client
Data"; flow:established; content:".mp3"; nocase; classtype:misc-activity;
sid:564; rev:5;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server
Login"; flow:established; content:"anon at ...597...";
classtype:misc-activity; sid:565; rev:5;)





More information about the Snort-sigs mailing list