[Snort-sigs] Using snort to Identify P2P transfers.

dmitriy.dunavetsky at ...1922... dmitriy.dunavetsky at ...1922...
Wed Oct 1 06:03:10 EDT 2003

This is my first time writing to this list so bare with me. 
I see a lot of people posting P2P questions, so I just wanted to share 
rules that I use and if you can share your rules for P2P traffic 
# Local rules Developed by Dmitiry Dunavetsky
alert tcp $HOME_NET any -> any 80 (flow: to_server,established; 
content:"P2P-Agent"; offset:0; msg:"Kazaa P2P Agent Start";)
alert udp $HOME_NET any ->  $EXTERNAL_NET any (content:"|27 00 00 00 a9 80 
4b 61 5a 61 41 00|"; msg:"Kazaa Started";)
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"Kazaa 
access";flow: from_client; content: "GET /.hash="; nocase; 
alert tcp any any -> $HOME_NET 1214 (msg: "!!!!FastTrack Protocol 
(Morpheus/Kazaa) GET request"; content: "GET "; depth: 4; flags:A+; 
reference:url,www.kazaa.com; )
alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET !80 (msg:"My - P2P GNUTella 
GET"; flow:to_server,established; content:"GET /uri-res/"; offset:0; 
depth:4; classtype:misc-activity; sid:1432;  rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7550 (msg:"Edonkey Connection"; 
content:"|6263 703a 2f2f|"; classtype:policy-violation;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 411 (msg:"Direct Connect P2P 
request"; flow: to_server,established; content:"$"; offset:0; depth:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6699 (msg:"Possible WinMX P2P 
use"; flow:established; flags: PA;)

james <hackerwacker at ...225...>
Sent by: snort-sigs-admin at lists.sourceforge.net
09/29/2003 10:34 PM
Please respond to hackerwacker

        To:     Tony Hernandez <tonyh at ...1915...>
        cc:     snort-sigs at lists.sourceforge.net
        Fax to: 
        Subject:        Re: [Snort-sigs] Using snort to Identify P2P transfers.

On Mon, 2003-09-29 at 09:51, Tony Hernandez wrote:
I was wondering if anyone has snort on a router mirror port configured

Yes, I mirror the edge routers Eth port to my Snort box.

to identify p2p traffic ie - kazaa, gnutella, directconnect.. etc.

Just looking for some info on this, experiences, example sigs etc..

Snort comes with P2P rules, try turning them on.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031001/23f48733/attachment.html>

More information about the Snort-sigs mailing list