[Snort-sigs] Edonkey - port 4662

Joe Matusiewicz joem at ...555...
Thu Jun 26 08:54:11 EDT 2003

At 05:33 PM 6/25/03, O'Flynn, Derek wrote:

>Anyone have a rule that can detect Edonkey starting up, or requesting a 
>file.  I am about to go try to do some sniffer captures, but was wondering 
>if someone already had a working rule.

These worked for me a while back after looking at trace logs.  They're for 
snort 1.x.

alert tcp any !80 -> any 4662 (flags: SA; tag: session, 10, packets; msg: 
"Posible eDonkey Traffic";)
alert tcp any 4662 -> any !80 (flags: SA; tag: session, 10, packets; msg: 
"Possible eDonkey Traffic";)

I looked for part 2 of the handshake and captured a few packets of an 
ongoing connection.  Excluding port 80 helped eliminate normal web traffic 
using 4662 as the source port. The packet with the name of the file 
downloaded couldn't be isolated so I had to look at the trailing 
packets.  It worked like a champ for me because I could pin down the the 
names of the files being downloaded.  But YMMV.

Hope this helps,

-- Joe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030626/c0756c9b/attachment.html>

More information about the Snort-sigs mailing list