[Snort-sigs] detect edonkey

Nigel Houghton nigel at ...435...
Wed Oct 8 06:39:21 EDT 2003

Here's some more detailed information on the protocol you might find


and for other p2p...


Not to mention the ubiquitous FAQs...


Good luck with your rule development, don't forget to write a doc for you
rule too :)

Around 1:52pm Cedric Foll said:

CF :Hi,
CF :
CF :I'm working on school environment and I'd like to stop Edonkey traffic.
CF :I've wrote the folowing rule for detect edonkey:
CF :alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Edonkey
CF :Traffic"; flow:established,to_server; content:"|e3|"; offset:0; depth:1;
CF :classtype:policy-violation; sid:10000001; rev:1;)
CF :
CF :In fact in edonkey protocol, all packet seem to have the first byte of
CF :the data layer set to 0x03.
CF :I get very few false positives.
CF :
CF :Regards.
CF :
CF :

Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister

More information about the Snort-sigs mailing list