[Snort-sigs] P2P Kazaa Traffic

Jacob Hurley jacobh at ...1425...
Thu Jul 10 12:20:03 EDT 2003

i am interested in how to create signatures for bittorrent as well, but i will also need to grab some actual payloads for the 'content' keywords.  i can add to the discussion by mentioning that it starts out by standard web traffic when you choose to download the .torrent file.  past that the bittorrent client takes over and uses port 6881:6889 to grab the file.  also, while you are downloading the file, other 'peers' downloading the file will attempt to connect to your machine (ports 6881:6889 as well) and add to your transfers downstream and upstream.  (with bittorrent, the more people grabbing the file - the better) it really is a nifty tool to distribute files quickly.


-----Original Message-----
From: Wes Young [mailto:wyoung at ...1639...]
Sent: Thursday, July 10, 2003 8:10 AM
To: jtjuslin at ...1151...
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] P2P Kazaa Traffic

I haven't looked into bit torrent yet, only used it a few times, no packet captures.....even so, I don't think it authenticates, it just spams the file out on a certain port. It turns your comp into a p2p server, so all you need to do is look for incomming traffic on whatever port it uses.

Again, like I said, I haven't used it much. I will try to snag some captures this weekend and post them. See if we can't find atleast the negotiation attempts when they connect. I hate it on my network, its an upstream hog. Great tool, but only good at night when everyone is asleep.

>>> Jukka Juslin <jtjuslin at ...1151...> 07/10 2:39 AM >>>


I think this would be a good idea! The KaZaa filter produces a lot of
alerts otherwise.

It is interesting to see from some KaZaa packet captures, what movies are
being downloaded (to verify). I can't do the same anymore with BitTorrent,
because it seems to be that the transfer is somehow encrypted. Am I right?


On Wed, 9 Jul 2003, Wes Young wrote:

->Will this just capture the login attempt??? or all kazaa Traffic?
->If not, is there a way to just capture login attempts (to cut down on logs)
->Just curious, haven't looked to far into it. Thanks!
->>>> Sam Evans <sam at ...219...> 07/09 1:18 PM >>>
->It could, and I will work on that.  The thing we've noticed with the rule
->is that it will capture the user's Kazaa name, as well as the supernode
->they are connected to.  Not sure if limiting to the first 64bytes will get
->all that, but I'll tinker with it.
->On Wed, 9 Jul 2003, Chris Baker wrote:
->> Hash: SHA1
->> On Wed, Jul 09, 2003 at 10:31:33AM -0400, Sam Evans wrote:
->> > Rule:
->> > alert $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg: "P2P Kazaa Traffic";\
->> > content: "X-Kazaa"; flow:to_server;)
->> >
->> This kind of rule will usually be ignored by most users since it
->> searches the full payload. Can this been tightened down a bit? Maybe
->> within the first 64 bytes?
->> Version: GnuPG v1.2.2 (SunOS)
->> iD8DBQE/DC9jbKHg1qAf3vIRAmL/AJoDERpVyVTaart98Y/L1CmRfP6aCwCg5eQa
->> HQh2I5GZN94ElZVkMFTTerw=
->> =4EmS
->> -----END PGP SIGNATURE-----

This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list