[Snort-sigs] P2P foldershare.com ftp connection with FTP STUFF

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 14:30:05 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $EXTERNAL_NET 21 -> $HOME_NET any \
(msg:"P2P foldershare.com ftp connection with FTP STUFF ";\
flow:to_client;\
content:"|45 5f 00 15 01 00 0c|"; content:"|01 bb|"; distance:4;
within:14;classtype:policy-violation;)


--
Sid:

--
Summary:

A client on your network is trying to intiate a connection to a
foldershare.com p2p remote file sharing service.
Usually before this client initiates its connection via ssl for its file
sharing purposes it will connect to remote computers on port 80,8000,and
21 with similar payloads.

Content in the packet will look for 45 5f 00 15 01 00 0c followed by 01 bb
within a range of 4 bytes.


--
Impact:

Many corporations view this type of p2p file sharing activity a breach of
their privacy policy or acceptable use policy or even a security breach to
share files with untrusted sources.


--
--
Detailed Information:
Generally this connection will be made to 216.166.75.8 on port 21 but may
change sometime in the future.

--
Affected Systems:

windows based operating systems.


-- 
--
Attack Scenarios:

 --
Ease of Attack:

simple

--
False Positives:

--
False Negatives:

--
Corrective Action:

The easiest way to block this activity is to block it at your border
perimeter.

access-list 101 deny ip any 216.166.75.1 0.0.0.0 log  FolderShare site
access-list 101 deny ip any 216.166.75.2 0.0.0.0 log  FolderShare SSL
server
access-list 101 deny ip any 216.166.75.8 0.0.0.0 log  AudioGalaxy FTP
Server
access-list 101 deny ip any 216.166.74.3 0.0.0.0 log  AudioGalaxy site
--
Contributors:

Daniel Uriah Clemens
dan.clemens at ...1661...

Thomas Torgeson
ttorgerson at ...1662...
--
Additional References:
http://www.birmingham-infragard.org/meetings/talks/presentations/P2P-presentation-07-08-2003.ppt

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list