[Snort-sigs] Rule Proposal "Kazaa Supernode Event"

Esler, Joel Contractor EslerJ at ...785...
Mon Jun 9 06:22:27 EDT 2003


 Rule: -- Kazaa Supernode Event
 Sid: -- 1000104
 Signature: -- alert tcp any any -> any 53 (msg:"Kazaa Supernode Event";
content:"supernode.kazaa.com"; sid:"1000104; rev:1;)
 Summary: -- This rule detects the resolution of "supernode.kazaa.com" on a
DNS Server
 Impact: -- Network bandwith usage and sharing of files.
 Detailed Information: -- Kazaa, a popular P2P file sharing program uses a
DNS Server during it's initial connection attempts to resolve the name
"supernode.kazaa.com", by using this string you can detect this inital
connection attempt.
 Affected Systems: -- Any that have the software installed.
 Attack Scenarios: -- File Sharing within the network
 Ease of Attack: -- Unknown
 False Positives: -- the string "supernode.kazaa.com" in traffic that
travels on port 53 could trigger this event.
 False Negatives: -- Unknown
 Corrective Action: -- Remove unauthroized File-Sharing programs installed
in the network.
 Contributors: -- Joel Esler
 Additional References: www.kazaa.com




More information about the Snort-sigs mailing list