[Snort-sigs] P2P foldershare.com 8000 connection

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 14:19:12 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 \
(msg:"P2P foldershare.com 8000 connection"; \
flow:to_server;\
content: "|45 5f 00 07 01 1f 40|";classtype:policy-violation;)

--
Sid:

--
Summary:

A client on your network is trying to intiate a connection to a
foldershare.com p2p remote file sharing service.
Usually before this client initiates its connection via ssl for its file
sharing purposes it will connect to remote computers on port 80,8000,and
21 with similar payloads.

Content in the packet will look like so:
000 : 45 5F 00 07 01 1F 40                              E_....@

--
Impact:

Many corporations view this type of p2p file sharing activity a breach of
their privacy policy or acceptable use policy or even a security breach to
share files
with untrusted sources.


--
--
Detailed Information:
Generally this connection will be made to n170.audiogalaxy.com on port
8000 but may change sometime in the future.

--
Affected Systems:

windows based operating systems.


-- 
--
Attack Scenarios:

 --
Ease of Attack:

simple

--
False Positives:

--
False Negatives:

--
Corrective Action:

The easiest way to block this activity is to block it at your border
perimeter.

access-list 101 deny ip any 216.166.74.3 0.0.0.0 log  AudioGalaxy site

--
Contributors:

Daniel Uriah Clemens
dan.clemens at ...1661...

Thomas Torgeson
ttorgerson at ...1662...


--
Additional References:
http://www.birmingham-infragard.org/meetings/talks/presentations/P2P-presentation-07-08-2003.ppt

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD








More information about the Snort-sigs mailing list