[Snort-sigs] P2P Kazaa Traffic
jtjuslin at ...1151...
Wed Jul 9 23:42:01 EDT 2003
I think this would be a good idea! The KaZaa filter produces a lot of
It is interesting to see from some KaZaa packet captures, what movies are
being downloaded (to verify). I can't do the same anymore with BitTorrent,
because it seems to be that the transfer is somehow encrypted. Am I right?
On Wed, 9 Jul 2003, Wes Young wrote:
->Will this just capture the login attempt??? or all kazaa Traffic?
->If not, is there a way to just capture login attempts (to cut down on logs)
->Just curious, haven't looked to far into it. Thanks!
->>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
->It could, and I will work on that. The thing we've noticed with the rule
->is that it will capture the user's Kazaa name, as well as the supernode
->they are connected to. Not sure if limiting to the first 64bytes will get
->all that, but I'll tinker with it.
->On Wed, 9 Jul 2003, Chris Baker wrote:
->> -----BEGIN PGP SIGNED MESSAGE-----
->> Hash: SHA1
->> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
->> > Rule:
->> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
->> > content: "X-Kazaa"; flow:to_server;)
->> This kind of rule will usually be ignored by most users since it
->> searches the full payload. Can this been tightened down a bit? Maybe
->> within the first 64 bytes?
->> -----BEGIN PGP SIGNATURE-----
->> Version: GnuPG v1.2.2 (SunOS)
->> -----END PGP SIGNATURE-----
More information about the Snort-sigs