[Snort-sigs] RE: P2P File Sharing Signatures?

Terence Runge terencerunge at ...1224...
Mon Jan 27 12:38:11 EST 2003

The p2p rules are not as robust or up to date as they could be. I am 
finding that I have to rely less on port level activity and more on 
content. If you are running snort on linux, try installing ngrep, then run 
ngrep -d  mp3 \!80. This should give you some insight into the level of 
"mp3" activity occurring.
You should be able to write a rule that will alert on the specific type of 
p2p activity you are seeing.
ngrep might also give you some insight on the specific applications users 
have installed.
Hope this helps.

More information about the Snort-sigs mailing list