[Snort-sigs] P2P Kazaa Traffic

Chris Baker extremis at ...862...
Wed Jul 9 08:21:41 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
> Rule:
> alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
> content: "X-Kazaa"; flow:to_server;)
> 

This kind of rule will usually be ignored by most users since it
searches the full payload. Can this been tightened down a bit? Maybe
within the first 64 bytes?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)

iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
HQh2I5GZN94ElZVkMFTTerw=
=4EmS
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list