[Snort-sigs] RE: P2P File Sharing Signatures?
terencerunge at ...1224...
Mon Jan 27 12:38:11 EST 2003
The p2p rules are not as robust or up to date as they could be. I am
finding that I have to rely less on port level activity and more on
content. If you are running snort on linux, try installing ngrep, then run
ngrep -d mp3 \!80. This should give you some insight into the level of
"mp3" activity occurring.
You should be able to write a rule that will alert on the specific type of
p2p activity you are seeing.
ngrep might also give you some insight on the specific applications users
Hope this helps.
More information about the Snort-sigs