Idea or two for eDonkey [WAS: RE: [Snort-sigs] Using snort to Identify P2P transfers.]
sbriggs at ...1781...
Wed Oct 1 11:30:02 EDT 2003
If I remember correctly, there is usually a list of valid servers downloaded as one of the initial steps upon an edonkey/emule client connection to a server. There are also sites that allow for downloads of the server .MET files:
That one updates every 12 minutes.
It would seem logical to have some sort of auto-grab command (wget comes to mind) and parse out the various hostnames & ip addresses (and remember-the edonkey server port number is listed as well).
Once this list is in hand, either use it to update snort lists or make changes on your outbound router/firewall rules to block these sites:ports?
Yes, I realize none of this will be easy; I'm just trying to brainstorm. It just seems that with an easily obtained server list that the vast majority of users use, reducing traffic shouldn't be too difficult (eliminating traffic from savvy users will prove more problematic, as soon as splinter edonkey network start showing up).
Just an idea,
From: nlloyd at ...1923... [mailto:nlloyd at ...1923...]
Sent: Wed 10/1/2003 11:07 AM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Using snort to Identify P2P transfers.
There's something wrong with ALL of these rules that are supposed to catch Kazaa.. The truth is that 75% or more of the Fastrack traffic happens on ports other than 1214..
I had to re-write my rule to look for "X-Kazaa" in any packet on any port..
Of course, now that I've spilled my dirty little secret about how I kill kazaa traffic, fasttrack will start encrypting its traffic and I'll be hozed..
e-donkey is taking off now anyway because there isn't a good way to find and flex-resp it into oblivion..
(Saint Mary's University of Minnesota, Winona campus)
More information about the Snort-sigs