[Snort-sigs] RE: P2P File Sharing Signatures?
Terence Runge
terencerunge at ...1224...
Mon Jan 27 12:38:11 EST 2003
The p2p rules are not as robust or up to date as they could be. I am
finding that I have to rely less on port level activity and more on
content. If you are running snort on linux, try installing ngrep, then run
ngrep -d mp3 \!80. This should give you some insight into the level of
"mp3" activity occurring.
You should be able to write a rule that will alert on the specific type of
p2p activity you are seeing.
ngrep might also give you some insight on the specific applications users
have installed.
Hope this helps.
Terence
More information about the Snort-sigs
mailing list