[Snort-sigs] P2P foldershare.com 8000 connection
daniel uriah clemens
daniel_clemens at ...842...
Tue Jul 8 14:19:12 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 \
(msg:"P2P foldershare.com 8000 connection"; \
content: "|45 5f 00 07 01 1f 40|";classtype:policy-violation;)
A client on your network is trying to intiate a connection to a
foldershare.com p2p remote file sharing service.
Usually before this client initiates its connection via ssl for its file
sharing purposes it will connect to remote computers on port 80,8000,and
21 with similar payloads.
Content in the packet will look like so:
000 : 45 5F 00 07 01 1F 40 E_....@
Many corporations view this type of p2p file sharing activity a breach of
with untrusted sources.
Generally this connection will be made to n170.audiogalaxy.com on port
8000 but may change sometime in the future.
windows based operating systems.
Ease of Attack:
The easiest way to block this activity is to block it at your border
access-list 101 deny ip any 126.96.36.199 0.0.0.0 log AudioGalaxy site
Daniel Uriah Clemens
dan.clemens at ...1661...
ttorgerson at ...1662...
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
More information about the Snort-sigs