[Snort-sigs] Edonkey - port 4662
Gustavo Beltrami Rossi
rossi at ...1271...
Thu Jun 26 09:20:28 EDT 2003
Hi Joe, thanks for your answer, but I'm looking for a signature not
based on ports, since the user can change that.
On Qui, 2003-06-26 at 12:53, Joe Matusiewicz wrote:
> At 05:33 PM 6/25/03, O'Flynn, Derek wrote:
> > Anyone have a rule that can detect Edonkey starting up, or
> > requesting a file. I am about to go try to do some sniffer
> > captures, but was wondering if someone already had a working rule.
> These worked for me a while back after looking at trace logs. They're
> for snort 1.x.
> alert tcp any !80 -> any 4662 (flags: SA; tag: session, 10, packets;
> msg: "Posible eDonkey Traffic";)
> alert tcp any 4662 -> any !80 (flags: SA; tag: session, 10, packets;
> msg: "Possible eDonkey Traffic";)
> I looked for part 2 of the handshake and captured a few packets of an
> ongoing connection. Excluding port 80 helped eliminate normal web
> traffic using 4662 as the source port. The packet with the name of the
> file downloaded couldn't be isolated so I had to look at the trailing
> packets. It worked like a champ for me because I could pin down the
> the names of the files being downloaded. But YMMV.
> Hope this helps,
> -- Joe
More information about the Snort-sigs