[Snort-sigs] Using snort to Identify P2P transfers.

nlloyd at ...1923... nlloyd at ...1923...
Wed Oct 1 11:03:08 EDT 2003


There's something wrong with ALL of these rules that are supposed to catch Kazaa..  The truth is that 75% or more of the Fastrack traffic happens on ports other than 1214..

I had to re-write my rule to look for "X-Kazaa" in any packet on any port.. 

Of course, now that I've spilled my dirty little secret about how I kill kazaa traffic, fasttrack will start encrypting its traffic and I'll be hozed..
*shrugs*
e-donkey is taking off now anyway because there isn't a good way to find and flex-resp it into oblivion..

-good luck
=Nate
(Saint Mary's University of Minnesota, Winona campus)

On Wednesday, October 01, 2003  8:22 AM, Nigel Houghton wrote:
>
>Date: Wed, 1 Oct 2003 09:22:34 -0400 (EDT)
>From: Nigel Houghton
>To: "dmitriy.dunavetsky at ...1922..." <dmitriy.dunavetsky at ...1922...>
>Subject: Re: [Snort-sigs] Using snort to Identify P2P transfers.
>
>Is there something wrong with the offical Snort p2p ruleset?
>
>This one...
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack
>(kazaa/morpheus) GET request"; flow:to_server,established; content:"GET ";
>depth:4; reference:url,www.musiccity.com/technology.htm;
>reference:url,www.kazaa.com; classtype:policy-violation; sid:1383; rev:4;)
>
>is better than your...
>
>alert tcp any any -> $HOME_NET 1214 (msg: "!!!!FastTrack Protocol
>(Morpheus/Kazaa) GET request"; content: "GET "; depth: 4; flags:A+;
>reference:url,www.musiccity.com/technology.htm;
>reference:url,www.kazaa.com; )
>
>I am also curious as to why you felt the need to modify sid 1432 to use
>!$SMTP_SERVERS with the added /uri-res/ to the GET request. If there are
>some false positives you have encountered with this rule please let
>everyone know by posting your observations to the list. The same goes for
>all rules.
>
>Around Yesterday dmitriy.dunavetsky at ...1922... said:
>
>d :This is my first time writing to this list so bare with me.
>d :I see a lot of people posting P2P questions, so I just wanted to share
>d :rules that I use and if you can share your rules for P2P traffic
>d :discovery.
>d :# Local rules Developed by Dmitiry Dunavetsky
>d :alert tcp $HOME_NET any -> any 80 (flow: to_server,established;
>d :content:"P2P-Agent"; offset:0; msg:"Kazaa P2P Agent Start";)
>d :alert udp $HOME_NET any ->  $EXTERNAL_NET any (content:"|27 00 00 00 a9 80
>d :4b 61 5a 61 41 00|"; msg:"Kazaa Started";)
>d :alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"Kazaa
>d :access";flow: from_client; content: "GET /.hash="; nocase;
>d :classtype:bad-unknown;)
>d :alert tcp any any -> $HOME_NET 1214 (msg: "!!!!FastTrack Protocol
>d :(Morpheus/Kazaa) GET request"; content: "GET "; depth: 4; flags:A+;
>d :reference:url,www.musiccity.com/technology.htm;
>d :reference:url,www.kazaa.com; )
>d :alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET !80 (msg:"My - P2P GNUTella
>d :GET"; flow:to_server,established; content:"GET /uri-res/"; offset:0;
>d :depth:4; classtype:misc-activity; sid:1432;  rev:3;)
>d :alert udp $EXTERNAL_NET any -> $HOME_NET 7550 (msg:"Edonkey Connection";
>d :content:"|6263 703a 2f2f|"; classtype:policy-violation;)
>d :alert tcp $HOME_NET any -> $EXTERNAL_NET 411 (msg:"Direct Connect P2P
>d :request"; flow: to_server,established; content:"$"; offset:0; depth:2;)
>d :alert tcp $HOME_NET any -> $EXTERNAL_NET 6699 (msg:"Possible WinMX P2P
>d :use"; flow:established; flags: PA;)
>d :
>d :
>d :
>d :
>d :
>d :james <hackerwacker at ...225...>
>d :Sent by: snort-sigs-admin at lists.sourceforge.net
>d :09/29/2003 10:34 PM
>d :Please respond to hackerwacker
>d :
>d :
>d :        To:     Tony Hernandez <tonyh at ...1915...>
>d :        cc:     snort-sigs at lists.sourceforge.net
>d :        Fax to:
>d :        Subject:        Re: [Snort-sigs] Using snort to Identify P2P transfers.
>d :
>d :
>d :On Mon, 2003-09-29 at 09:51, Tony Hernandez wrote:
>d :I was wondering if anyone has snort on a router mirror port configured
>d :
>d :
>d :Yes, I mirror the edge routers Eth port to my Snort box.
>d :
>d :
>d :to identify p2p traffic ie - kazaa, gnutella, directconnect.. etc.
>d :
>d :Just looking for some info on this, experiences, example sigs etc..
>d :
>d :
>d :Snort comes with P2P rules, try turning them on.
>d :
>d :
>d :
>d :-------------------------------------------------------
>d :This sf.net email is sponsored by:ThinkGeek
>d :Welcome to geek heaven.
>d :http://thinkgeek.com/sf
>d :_______________________________________________
>d :Snort-sigs mailing list
>d :Snort-sigs at lists.sourceforge.net
>d :https://lists.sourceforge.net/lists/listinfo/snort-sigs
>d :
>d :
>
>-------------------------------------------------------------
>Nigel Houghton   Security Research Engineer   Sourcefire Inc.
>                 Vulnerability Research Team
>
>"Mankind hasn't even got the technology to create a toupee
>that doesn't get big laughs." -- Lister
>
>Message dated: Oct 1
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs








More information about the Snort-sigs mailing list