[Snort-sigs] detect edonkey

Nigel Houghton nigel at ...435...
Wed Oct 8 06:39:21 EDT 2003


Here's some more detailed information on the protocol you might find
useful...

http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6.1.html

and for other p2p...

http://savannah.nongnu.org/download/mldonkey/docs/

Not to mention the ubiquitous FAQs...

http://www.emule-project.net/faq/start.htm

Good luck with your rule development, don't forget to write a doc for you
rule too :)

Around 1:52pm Cedric Foll said:

CF :Hi,
CF :
CF :I'm working on school environment and I'd like to stop Edonkey traffic.
CF :I've wrote the folowing rule for detect edonkey:
CF :alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Edonkey
CF :Traffic"; flow:established,to_server; content:"|e3|"; offset:0; depth:1;
CF :classtype:policy-violation; sid:10000001; rev:1;)
CF :
CF :In fact in edonkey protocol, all packet seem to have the first byte of
CF :the data layer set to 0x03.
CF :I get very few false positives.
CF :
CF :Regards.
CF :
CF :

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister




More information about the Snort-sigs mailing list