[Snort-sigs] Direct Connect

chuck at ...2055... chuck at ...2055...
Wed Dec 3 14:01:01 EST 2003


Hello
this is my 1st attempt for writing snort rules
i just wanted to post these since i havn't found any
that did block Direct Connect so i created them by
looking at the other p2p rules i saw in p2p.rules.





# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Direct Connect HubList"; flow:to_server,established; content:"GET /Pu
blicHubList.config"; classtype:policy-violation; sid:9999; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Direct Connect NickList"; flow:to_server,established; content:"NickLi
st"; classtype:policy-violation; sid:9999; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Direct Connect ConnectToMe"; flow:to_server,established; content:"Con
nectToMe"; classtype:policy-violation; sid:9999; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Direct Connect Search Hub"; flow:to_server,established; content:"Sear
ch Hub"; classtype:policy-violation; sid:9999; rev:1;)

--
Sid:
Not sure what this is so i entered a number which wasn't used in my rules db


--
Summary:
This will catch you when you request the list of hubs, when you try to connect
to a hub, and also when you search for something. There is definatly more rules
that could be written for this protocol but just with these i can spot the
users fast enough.

--
Impact:
It's a peer to peer so i guess it can violate policy and be a bandwidth hog.

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
None yet, every time i started a DC client i got some alerts going.

--
False Negatives:
Havn't run into any problems yet.

--
Corrective Action:

--
Contributors:
Charles Lacroix (chuck at ...2055...)

-- 
Additional References:
http://www.neo-modus.com/





More information about the Snort-sigs mailing list