[Snort-sigs] detect edonkey

Cedric Foll cedric.foll at ...1947...
Wed Oct 8 04:54:05 EDT 2003


I'm working on school environment and I'd like to stop Edonkey traffic.
I've wrote the folowing rule for detect edonkey:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Edonkey
Traffic"; flow:established,to_server; content:"|e3|"; offset:0; depth:1;
classtype:policy-violation; sid:10000001; rev:1;)

In fact in edonkey protocol, all packet seem to have the first byte of
the data layer set to 0x03.
I get very few false positives.


Cedric Foll
Ingénieur réseaux, Rectorat de Rouen
mèl: cedric.foll at ...1947...
tèl: 02 35 14 77 51

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031008/ea358bbd/attachment.sig>

More information about the Snort-sigs mailing list