[Snort-sigs] Edonkey - port 4662
DOFlyn at ...466...
Thu Jun 26 09:49:04 EDT 2003
I downloaded Edonkey yesterday and did some packet captures. I also added
joe's signatures to the system to see what it picks up. I would like to
know the files they downloaded as well. I noticed that while edonkey is
operating it uses UDP packets on port 7550. These packets have a unique tag
in them. I was able to use this to write a rule. It's noisy once they fire
up Edonkey, but it quickly identifies them. Since it is UDP you cannot use
it for flex-resp rules, but it does allow you to go tap them on the shoulder
and tell them to stop it.
alert udp $EXTERNAL_NET any -> $HOME_NET 7550 (msg:"Edonkey Connection";
content:"|6263 703a 2f2f|"; classtype:policy-violation;)
6263 703a 2f2f = "bcp://"
From: Gustavo Beltrami Rossi [mailto:rossi at ...1271...]
Sent: Thursday, June 26, 2003 11:20 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] Edonkey - port 4662
Hi Joe, thanks for your answer, but I'm looking for a signature not
based on ports, since the user can change that.
On Qui, 2003-06-26 at 12:53, Joe Matusiewicz wrote:
> At 05:33 PM 6/25/03, O'Flynn, Derek wrote:
> > Anyone have a rule that can detect Edonkey starting up, or
> > requesting a file. I am about to go try to do some sniffer
> > captures, but was wondering if someone already had a working rule.
> These worked for me a while back after looking at trace logs. They're
> for snort 1.x.
> alert tcp any !80 -> any 4662 (flags: SA; tag: session, 10, packets;
> msg: "Posible eDonkey Traffic";)
> alert tcp any 4662 -> any !80 (flags: SA; tag: session, 10, packets;
> msg: "Possible eDonkey Traffic";)
> I looked for part 2 of the handshake and captured a few packets of an
> ongoing connection. Excluding port 80 helped eliminate normal web
> traffic using 4662 as the source port. The packet with the name of the
> file downloaded couldn't be isolated so I had to look at the trailing
> packets. It worked like a champ for me because I could pin down the
> the names of the files being downloaded. But YMMV.
> Hope this helps,
> -- Joe
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs