[Snort-sigs] Using snort to Identify P2P transfers.

dmitriy.dunavetsky at ...1922... dmitriy.dunavetsky at ...1922...
Wed Oct 1 09:15:07 EDT 2003


Original rules set specially Gnuutella GET was creating a lot of false 
positives.  Also I needed to know what application user is using and some 
signatures are better the default, but you do have to tune them.




Nigel Houghton <nigel at ...435...>
Sent by: nigel at ...1484...
10/01/2003 06:22 AM

 
        To:     "dmitriy.dunavetsky at ...1922..." <dmitriy.dunavetsky at ...1922...>
        cc:     "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net>
        Fax to: 
        Subject:        Re: [Snort-sigs] Using snort to Identify P2P transfers.



Is there something wrong with the offical Snort p2p ruleset?

This one...

alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack
(kazaa/morpheus) GET request"; flow:to_server,established; content:"GET ";
depth:4; reference:url,www.musiccity.com/technology.htm;
reference:url,www.kazaa.com; classtype:policy-violation; sid:1383; rev:4;)

is better than your...

alert tcp any any -> $HOME_NET 1214 (msg: "!!!!FastTrack Protocol
(Morpheus/Kazaa) GET request"; content: "GET "; depth: 4; flags:A+;
reference:url,www.musiccity.com/technology.htm;
reference:url,www.kazaa.com; )

I am also curious as to why you felt the need to modify sid 1432 to use
!$SMTP_SERVERS with the added /uri-res/ to the GET request. If there are
some false positives you have encountered with this rule please let
everyone know by posting your observations to the list. The same goes for
all rules.

Around Yesterday dmitriy.dunavetsky at ...1922... said:

d :This is my first time writing to this list so bare with me.
d :I see a lot of people posting P2P questions, so I just wanted to share
d :rules that I use and if you can share your rules for P2P traffic
d :discovery.
d :# Local rules Developed by Dmitiry Dunavetsky
d :alert tcp $HOME_NET any -> any 80 (flow: to_server,established;
d :content:"P2P-Agent"; offset:0; msg:"Kazaa P2P Agent Start";)
d :alert udp $HOME_NET any ->  $EXTERNAL_NET any (content:"|27 00 00 00 a9 
80
d :4b 61 5a 61 41 00|"; msg:"Kazaa Started";)
d :alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"Kazaa
d :access";flow: from_client; content: "GET /.hash="; nocase;
d :classtype:bad-unknown;)
d :alert tcp any any -> $HOME_NET 1214 (msg: "!!!!FastTrack Protocol
d :(Morpheus/Kazaa) GET request"; content: "GET "; depth: 4; flags:A+;
d :reference:url,www.musiccity.com/technology.htm;
d :reference:url,www.kazaa.com; )
d :alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET !80 (msg:"My - P2P 
GNUTella
d :GET"; flow:to_server,established; content:"GET /uri-res/"; offset:0;
d :depth:4; classtype:misc-activity; sid:1432;  rev:3;)
d :alert udp $EXTERNAL_NET any -> $HOME_NET 7550 (msg:"Edonkey 
Connection";
d :content:"|6263 703a 2f2f|"; classtype:policy-violation;)
d :alert tcp $HOME_NET any -> $EXTERNAL_NET 411 (msg:"Direct Connect P2P
d :request"; flow: to_server,established; content:"$"; offset:0; depth:2;)
d :alert tcp $HOME_NET any -> $EXTERNAL_NET 6699 (msg:"Possible WinMX P2P
d :use"; flow:established; flags: PA;)
d :
d :
d :
d :
d :
d :james <hackerwacker at ...225...>
d :Sent by: snort-sigs-admin at lists.sourceforge.net
d :09/29/2003 10:34 PM
d :Please respond to hackerwacker
d :
d :
d :        To:     Tony Hernandez <tonyh at ...1915...>
d :        cc:     snort-sigs at lists.sourceforge.net
d :        Fax to:
d :        Subject:        Re: [Snort-sigs] Using snort to Identify P2P 
transfers.
d :
d :
d :On Mon, 2003-09-29 at 09:51, Tony Hernandez wrote:
d :I was wondering if anyone has snort on a router mirror port configured
d :
d :
d :Yes, I mirror the edge routers Eth port to my Snort box.
d :
d :
d :to identify p2p traffic ie - kazaa, gnutella, directconnect.. etc.
d :
d :Just looking for some info on this, experiences, example sigs etc..
d :
d :
d :Snort comes with P2P rules, try turning them on.
d :
d :
d :
d :-------------------------------------------------------
d :This sf.net email is sponsored by:ThinkGeek
d :Welcome to geek heaven.
d :http://thinkgeek.com/sf
d :_______________________________________________
d :Snort-sigs mailing list
d :Snort-sigs at lists.sourceforge.net
d :https://lists.sourceforge.net/lists/listinfo/snort-sigs
d :
d :

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister

Message dated: Oct 1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031001/37502539/attachment.html>


More information about the Snort-sigs mailing list