[Snort-sigs] P2P Kazaa Traffic

Sam Evans sam at ...219...
Wed Jul 9 10:20:06 EDT 2003


It could, and I will work on that.  The thing we've noticed with the rule
is that it will capture the user's Kazaa name, as well as the supernode
they are connected to.  Not sure if limiting to the first 64bytes will get
all that, but I'll tinker with it.



On Wed, 9 Jul 2003, Chris Baker wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
> > Rule:
> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
> > content: "X-Kazaa"; flow:to_server;)
> >
>
> This kind of rule will usually be ignored by most users since it
> searches the full payload. Can this been tightened down a bit? Maybe
> within the first 64 bytes?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (SunOS)
>
> iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
> HQh2I5GZN94ElZVkMFTTerw=
> =4EmS
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list