[Snort-sigs] P2P Kazaa Traffic

Sam Evans sam at ...219...
Wed Jul 9 07:33:07 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
content: "X-Kazaa"; flow:to_server;)


A device on your network has initiated a Kazaa connection.  The X-Kazaa
tag is used extensively in the
Kazaa Protocol to handle various information requests.  Capturing this
packet will reveal
search information, as well as the User's Kazaa Username.

Kazaa is one of the most commonly used P2P programs today.  Because of
this, it's users are becomming a
primary target for the RIAA.  Along with this, many corporations consider
P2P activity a violation of
their end user policies.

Detailed Information:
The supernodes and clients negotiate their connection information thus
connections are initiated using
random ports, and random IP Addresses.  The only way to truly identify
Kazaa traffic is to look inside
the packet and pick out the X-Kazaa tags.

Affected Systems:
Any device running a Kazaa compatible client.

Attack Scenarios:

Ease of Attack:
Start up a Kazaa client, and away it goes.

False Positives:
None that I have experienced.
False Negatives:
None that I have experienced.
Corrective Action:
Unfortunately, because Kazaa is so dynamic it is next to impossible to
block this type of traffic using
Access Lists or Firewall Rules.  We have added the resp:rst_all; to this
rule in an attempt to stop
Kazaa traffic from an IDS point of view.  There may be other solutions
available such as rate limiters
that can better prevent this traffic.
Sam Evans (sam at ...219...)

Additional References:

More information about the Snort-sigs mailing list