[Snort-sigs] P2P foldershare.com ftp connection with FTP STUFF

daniel uriah clemens daniel_clemens at ...842...
Wed Jul 9 08:05:10 EDT 2003


the flow should be flow:to_server;

Sorry.

-Dan

Correction on this sig:

On Tue, 8 Jul 2003, daniel uriah clemens wrote:

> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id$
> #
> #
>
> Rule:
>
> alert tcp $EXTERNAL_NET 21 -> $HOME_NET any \
> (msg:"P2P foldershare.com ftp connection with FTP STUFF ";\
> flow:to_client;\
> content:"|45 5f 00 15 01 00 0c|"; content:"|01 bb|"; distance:4;
> within:14;classtype:policy-violation;)
>
>
> --
> Sid:
>
> --
> Summary:
>
> A client on your network is trying to intiate a connection to a
> foldershare.com p2p remote file sharing service.
> Usually before this client initiates its connection via ssl for its file
> sharing purposes it will connect to remote computers on port 80,8000,and
> 21 with similar payloads.
>
> Content in the packet will look for 45 5f 00 15 01 00 0c followed by 01 bb
> within a range of 4 bytes.
>
>
> --
> Impact:
>
> Many corporations view this type of p2p file sharing activity a breach of
> their privacy policy or acceptable use policy or even a security breach to
> share files with untrusted sources.
>
>
> --
> --
> Detailed Information:
> Generally this connection will be made to 216.166.75.8 on port 21 but may
> change sometime in the future.
>
> --
> Affected Systems:
>
> windows based operating systems.
>
>
> --
> --
> Attack Scenarios:
>
>  --
> Ease of Attack:
>
> simple
>
> --
> False Positives:
>
> --
> False Negatives:
>
> --
> Corrective Action:
>
> The easiest way to block this activity is to block it at your border
> perimeter.
>
> access-list 101 deny ip any 216.166.75.1 0.0.0.0 log  FolderShare site
> access-list 101 deny ip any 216.166.75.2 0.0.0.0 log  FolderShare SSL
> server
> access-list 101 deny ip any 216.166.75.8 0.0.0.0 log  AudioGalaxy FTP
> Server
> access-list 101 deny ip any 216.166.74.3 0.0.0.0 log  AudioGalaxy site
> --
> Contributors:
>
> Daniel Uriah Clemens
> dan.clemens at ...1661...
>
> Thomas Torgeson
> ttorgerson at ...1662...
> --
> Additional References:
> http://www.birmingham-infragard.org/meetings/talks/presentations/P2P-presentation-07-08-2003.ppt
>
> -Daniel Uriah Clemens
>
> Esse quam videra
>     		(to be, rather than to appear)
> http://www.birmingham-infragard.org   | 2053284200
> fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list