[Snort-sigs] P2P Kazaa Traffic

Sam Evans sam at ...219...
Wed Jul 9 08:33:16 EDT 2003


Should have added:

classtype:policy-violation;

to the rule.  Sorry about that.

-Sam

On Wed, 9 Jul 2003, Sam Evans wrote:

> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id$
> #
> #
>
> Rule:
> alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
> content: "X-Kazaa"; flow:to_server;)
>
> --
> Sid:
>
> --
> Summary:
> A device on your network has initiated a Kazaa connection.  The X-Kazaa
> tag is used extensively in the
> Kazaa Protocol to handle various information requests.  Capturing this
> packet will reveal
> search information, as well as the User's Kazaa Username.
>
> --
> Impact:
> Kazaa is one of the most commonly used P2P programs today.  Because of
> this, it's users are becomming a
> primary target for the RIAA.  Along with this, many corporations consider
> P2P activity a violation of
> their end user policies.
>
>
> --
> Detailed Information:
> The supernodes and clients negotiate their connection information thus
> connections are initiated using
> random ports, and random IP Addresses.  The only way to truly identify
> Kazaa traffic is to look inside
> the packet and pick out the X-Kazaa tags.
>
> --
> Affected Systems:
> Any device running a Kazaa compatible client.
>
> --
> Attack Scenarios:
> None
>
> --
> Ease of Attack:
> Start up a Kazaa client, and away it goes.
>
> --
> False Positives:
> None that I have experienced.
> --
> False Negatives:
> None that I have experienced.
> --
> Corrective Action:
> Unfortunately, because Kazaa is so dynamic it is next to impossible to
> block this type of traffic using
> Access Lists or Firewall Rules.  We have added the resp:rst_all; to this
> rule in an attempt to stop
> Kazaa traffic from an IDS point of view.  There may be other solutions
> available such as rate limiters
> that can better prevent this traffic.
> --
> Contributors:
> Sam Evans (sam at ...219...)
>
> --
> Additional References:
> www.kazaa.com
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list