[Snort-sigs] P2P Kazaa Traffic

Wes Young wyoung at ...1639...
Thu Jul 10 06:18:07 EDT 2003


I haven't looked into bit torrent yet, only used it a few times, no packet captures.....even so, I don't think it authenticates, it just spams the file out on a certain port. It turns your comp into a p2p server, so all you need to do is look for incomming traffic on whatever port it uses.

Again, like I said, I haven't used it much. I will try to snag some captures this weekend and post them. See if we can't find atleast the negotiation attempts when they connect. I hate it on my network, its an upstream hog. Great tool, but only good at night when everyone is asleep.

>>> Jukka Juslin <jtjuslin at ...1151...> 07/10 2:39 AM >>>

Hi,

I think this would be a good idea! The KaZaa filter produces a lot of
alerts otherwise.

It is interesting to see from some KaZaa packet captures, what movies are
being downloaded (to verify). I can't do the same anymore with BitTorrent,
because it seems to be that the transfer is somehow encrypted. Am I right?

Jukka

On Wed, 9 Jul 2003, Wes Young wrote:

->Will this just capture the login attempt??? or all kazaa Traffic?
->If not, is there a way to just capture login attempts (to cut down on logs)
->Just curious, haven't looked to far into it. Thanks!
->
->wes
->
->>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
->It could, and I will work on that.  The thing we've noticed with the rule
->is that it will capture the user's Kazaa name, as well as the supernode
->they are connected to.  Not sure if limiting to the first 64bytes will get
->all that, but I'll tinker with it.
->
->
->
->On Wed, 9 Jul 2003, Chris Baker wrote:
->
->> -----BEGIN PGP SIGNED MESSAGE-----
->> Hash: SHA1
->>
->> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
->> > Rule:
->> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
->> > content: "X-Kazaa"; flow:to_server;)
->> >
->>
->> This kind of rule will usually be ignored by most users since it
->> searches the full payload. Can this been tightened down a bit? Maybe
->> within the first 64 bytes?
->> -----BEGIN PGP SIGNATURE-----
->> Version: GnuPG v1.2.2 (SunOS)
->>
->> iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
->> HQh2I5GZN94ElZVkMFTTerw=
->> =4EmS
->> -----END PGP SIGNATURE-----
->>
->>





More information about the Snort-sigs mailing list