[Snort-sigs] P2P foldershare.com going to http traffic without a GET

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 14:49:07 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"P2P foldershare.com going to http traffic without a GET";\
flow:to_server;\
content: ! "GET"; content:"|45 5f 00 07 01 00 |";classtype:policy-violation;)

--
Sid:

--
Summary:

A client on your network is trying to intiate a connection to a
foldershare.com p2p remote file sharing service.
Usually before this client initiates its connection via ssl for its file
sharing purposes it will connect to remote computers on port 80,8000,and
21 with similar payloads.


--
Impact:

Many corporations view this type of p2p file sharing activity a breach of
their privacy policy or acceptable use policy or even a security breach to
share files with untrusted sources.


--
--
Detailed Information:

Content in the packet will look for the absence of a GET request over the
HTTP protocol while looking for the content "|  45 5f 00 07 01 00 |" in
the packet.

--
Affected Systems:

windows based operating systems.


-- 
--
Attack Scenarios:

 --
Ease of Attack:

simple

--
False Positives:

--
False Negatives:

--
Corrective Action:

The easiest way to block this activity is to block it at your border
perimeter.

access-list 101 deny ip any 216.166.75.1 0.0.0.0 log  FolderShare site
access-list 101 deny ip any 216.166.75.2 0.0.0.0 log  FolderShare SSL
server
access-list 101 deny ip any 216.166.75.8 0.0.0.0 log  AudioGalaxy FTP
Server
access-list 101 deny ip any 216.166.74.3 0.0.0.0 log  AudioGalaxy site
--
Contributors:

Daniel Uriah Clemens
dan.clemens at ...1661...

Thomas Torgeson
ttorgerson at ...1662...
--
Additional References:
http://www.birmingham-infragard.org/meetings/talks/presentations/P2P-presentation-07-08-2003.ppt


-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list