[Snort-sigs] Rule Proposal "Kazaa Supernode Event"
Esler, Joel Contractor
EslerJ at ...785...
Mon Jun 9 06:22:27 EDT 2003
Rule: -- Kazaa Supernode Event
Sid: -- 1000104
Signature: -- alert tcp any any -> any 53 (msg:"Kazaa Supernode Event";
content:"supernode.kazaa.com"; sid:"1000104; rev:1;)
Summary: -- This rule detects the resolution of "supernode.kazaa.com" on a
Impact: -- Network bandwith usage and sharing of files.
Detailed Information: -- Kazaa, a popular P2P file sharing program uses a
DNS Server during it's initial connection attempts to resolve the name
"supernode.kazaa.com", by using this string you can detect this inital
Affected Systems: -- Any that have the software installed.
Attack Scenarios: -- File Sharing within the network
Ease of Attack: -- Unknown
False Positives: -- the string "supernode.kazaa.com" in traffic that
travels on port 53 could trigger this event.
False Negatives: -- Unknown
Corrective Action: -- Remove unauthroized File-Sharing programs installed
in the network.
Contributors: -- Joel Esler
Additional References: www.kazaa.com
More information about the Snort-sigs