[Snort-sigs] P2P foldershare.com going to http traffic without a GET
daniel uriah clemens
daniel_clemens at ...842...
Tue Jul 8 14:49:07 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"P2P foldershare.com going to http traffic without a GET";\
content: ! "GET"; content:"|45 5f 00 07 01 00 |";classtype:policy-violation;)
A client on your network is trying to intiate a connection to a
foldershare.com p2p remote file sharing service.
Usually before this client initiates its connection via ssl for its file
sharing purposes it will connect to remote computers on port 80,8000,and
21 with similar payloads.
Many corporations view this type of p2p file sharing activity a breach of
share files with untrusted sources.
Content in the packet will look for the absence of a GET request over the
HTTP protocol while looking for the content "| 45 5f 00 07 01 00 |" in
windows based operating systems.
Ease of Attack:
The easiest way to block this activity is to block it at your border
access-list 101 deny ip any 188.8.131.52 0.0.0.0 log FolderShare site
access-list 101 deny ip any 184.108.40.206 0.0.0.0 log FolderShare SSL
access-list 101 deny ip any 220.127.116.11 0.0.0.0 log AudioGalaxy FTP
access-list 101 deny ip any 18.104.22.168 0.0.0.0 log AudioGalaxy site
Daniel Uriah Clemens
dan.clemens at ...1661...
ttorgerson at ...1662...
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
More information about the Snort-sigs