[Snort-sigs] P2P Kazaa Traffic

Wes Young wyoung at ...1639...
Wed Jul 9 20:33:04 EDT 2003


Will this just capture the login attempt??? or all kazaa Traffic?
If not, is there a way to just capture login attempts (to cut down on logs)
Just curious, haven't looked to far into it. Thanks!

wes

>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
It could, and I will work on that.  The thing we've noticed with the rule
is that it will capture the user's Kazaa name, as well as the supernode
they are connected to.  Not sure if limiting to the first 64bytes will get
all that, but I'll tinker with it.



On Wed, 9 Jul 2003, Chris Baker wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
> > Rule:
> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
> > content: "X-Kazaa"; flow:to_server;)
> >
>
> This kind of rule will usually be ignored by most users since it
> searches the full payload. Can this been tightened down a bit? Maybe
> within the first 64 bytes?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (SunOS)
>
> iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
> HQh2I5GZN94ElZVkMFTTerw=
> =4EmS
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs 
>


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps 
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list