[Snort-sigs] Edonkey - port 4662

O'Flynn, Derek DOFlyn at ...466...
Thu Jun 26 09:49:04 EDT 2003


I downloaded Edonkey yesterday and did some packet captures.  I also added
joe's signatures to the system to see what it picks up.  I would like to
know the files they downloaded as well.  I noticed that while edonkey is
operating it uses UDP packets on port 7550.  These packets have a unique tag
in them.  I was able to use this to write a rule.  It's noisy once they fire
up Edonkey, but it quickly identifies them.  Since it is UDP you cannot use
it for flex-resp rules, but it does allow you to go tap them on the shoulder
and tell them to stop it.

alert udp $EXTERNAL_NET any -> $HOME_NET 7550 (msg:"Edonkey Connection";
content:"|6263 703a 2f2f|"; classtype:policy-violation;)

6263 703a 2f2f = "bcp://"

Thanks,
Derek

-----Original Message-----
From: Gustavo Beltrami Rossi [mailto:rossi at ...1271...] 
Sent: Thursday, June 26, 2003 11:20 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] Edonkey - port 4662

Hi Joe, thanks for your answer, but I'm looking for a signature not
based on ports, since the user can change that.

Thanks,
Rossi.


On Qui, 2003-06-26 at 12:53, Joe Matusiewicz wrote:
> At 05:33 PM 6/25/03, O'Flynn, Derek wrote:
> 
> > Anyone have a rule that can detect Edonkey starting up, or
> > requesting a file.  I am about to go try to do some sniffer
> > captures, but was wondering if someone already had a working rule.
> 
> 
> These worked for me a while back after looking at trace logs.  They're
> for snort 1.x.
> 
> alert tcp any !80 -> any 4662 (flags: SA; tag: session, 10, packets;
> msg: "Posible eDonkey Traffic";)
> alert tcp any 4662 -> any !80 (flags: SA; tag: session, 10, packets;
> msg: "Possible eDonkey Traffic";)
> 
> I looked for part 2 of the handshake and captured a few packets of an
> ongoing connection.  Excluding port 80 helped eliminate normal web
> traffic using 4662 as the source port. The packet with the name of the
> file downloaded couldn't be isolated so I had to look at the trailing
> packets.  It worked like a champ for me because I could pin down the
> the names of the files being downloaded.  But YMMV.
> 
> Hope this helps,
> 
> -- Joe
> 



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030626/0d6d72d5/attachment.html>


More information about the Snort-sigs mailing list