[Snort-sigs] Edonkey - port 4662
joem at ...555...
Thu Jun 26 08:54:11 EDT 2003
At 05:33 PM 6/25/03, O'Flynn, Derek wrote:
>Anyone have a rule that can detect Edonkey starting up, or requesting a
>file. I am about to go try to do some sniffer captures, but was wondering
>if someone already had a working rule.
These worked for me a while back after looking at trace logs. They're for
alert tcp any !80 -> any 4662 (flags: SA; tag: session, 10, packets; msg:
"Posible eDonkey Traffic";)
alert tcp any 4662 -> any !80 (flags: SA; tag: session, 10, packets; msg:
"Possible eDonkey Traffic";)
I looked for part 2 of the handshake and captured a few packets of an
ongoing connection. Excluding port 80 helped eliminate normal web traffic
using 4662 as the source port. The packet with the name of the file
downloaded couldn't be isolated so I had to look at the trailing
packets. It worked like a champ for me because I could pin down the the
names of the files being downloaded. But YMMV.
Hope this helps,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs