[Snort-sigs] Edonkey - port 4662

Gustavo Beltrami Rossi rossi at ...1271...
Thu Jun 26 09:20:28 EDT 2003


Hi Joe, thanks for your answer, but I'm looking for a signature not
based on ports, since the user can change that.

Thanks,
Rossi.


On Qui, 2003-06-26 at 12:53, Joe Matusiewicz wrote:
> At 05:33 PM 6/25/03, O'Flynn, Derek wrote:
> 
> > Anyone have a rule that can detect Edonkey starting up, or
> > requesting a file.  I am about to go try to do some sniffer
> > captures, but was wondering if someone already had a working rule.
> 
> 
> These worked for me a while back after looking at trace logs.  They're
> for snort 1.x.
> 
> alert tcp any !80 -> any 4662 (flags: SA; tag: session, 10, packets;
> msg: "Posible eDonkey Traffic";)
> alert tcp any 4662 -> any !80 (flags: SA; tag: session, 10, packets;
> msg: "Possible eDonkey Traffic";)
> 
> I looked for part 2 of the handshake and captured a few packets of an
> ongoing connection.  Excluding port 80 helped eliminate normal web
> traffic using 4662 as the source port. The packet with the name of the
> file downloaded couldn't be isolated so I had to look at the trailing
> packets.  It worked like a champ for me because I could pin down the
> the names of the files being downloaded.  But YMMV.
> 
> Hope this helps,
> 
> -- Joe
> 





More information about the Snort-sigs mailing list