[Snort-sigs] P2P Kazaa Traffic
wyoung at ...1639...
Thu Jul 10 06:18:07 EDT 2003
I haven't looked into bit torrent yet, only used it a few times, no packet captures.....even so, I don't think it authenticates, it just spams the file out on a certain port. It turns your comp into a p2p server, so all you need to do is look for incomming traffic on whatever port it uses.
Again, like I said, I haven't used it much. I will try to snag some captures this weekend and post them. See if we can't find atleast the negotiation attempts when they connect. I hate it on my network, its an upstream hog. Great tool, but only good at night when everyone is asleep.
>>> Jukka Juslin <jtjuslin at ...1151...> 07/10 2:39 AM >>>
I think this would be a good idea! The KaZaa filter produces a lot of
It is interesting to see from some KaZaa packet captures, what movies are
being downloaded (to verify). I can't do the same anymore with BitTorrent,
because it seems to be that the transfer is somehow encrypted. Am I right?
On Wed, 9 Jul 2003, Wes Young wrote:
->Will this just capture the login attempt??? or all kazaa Traffic?
->If not, is there a way to just capture login attempts (to cut down on logs)
->Just curious, haven't looked to far into it. Thanks!
->>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
->It could, and I will work on that. The thing we've noticed with the rule
->is that it will capture the user's Kazaa name, as well as the supernode
->they are connected to. Not sure if limiting to the first 64bytes will get
->all that, but I'll tinker with it.
->On Wed, 9 Jul 2003, Chris Baker wrote:
->> -----BEGIN PGP SIGNED MESSAGE-----
->> Hash: SHA1
->> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
->> > Rule:
->> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
->> > content: "X-Kazaa"; flow:to_server;)
->> This kind of rule will usually be ignored by most users since it
->> searches the full payload. Can this been tightened down a bit? Maybe
->> within the first 64 bytes?
->> -----BEGIN PGP SIGNATURE-----
->> Version: GnuPG v1.2.2 (SunOS)
->> -----END PGP SIGNATURE-----
More information about the Snort-sigs