[Snort-sigs] detect edonkey

Cedric Foll cedric.foll at ...1947...
Wed Oct 8 08:24:10 EDT 2003


I've improved my rules in order to suppress much of false positives.

A  typical e-donkey connection look like that (after tcp connection)

client -> server (start of data layer):
0x03 (proto e-donkey)
0x45 0x00 0x00 0x00 (length of the e-donkey datagram, 69 bytes in this
example)
0x01 (message type: Hello)
Then, Edonkey client info (Hash, id, port, ...)

server -> client
0x03 (proto e-donkey)
0x56 0x00 0x00 0x00 (length of the e-donkey datagram, 86 bytes in this
example)
0x38 (message type: Server Message)
Then, Edonkey server messages.

I suppose that during this step, length of datagram are always < 255.
So I tried to get on the start of a datagram:

client -> serveur
0x03 0xXX 0x00 0x00 0x00 0x01
server -> client
0x03 0xXX 0x00 0x00 0x00 0x38

Because I do the test on 5 packets, the probability of having false
positive if very low (with only one packet the false positive rate was
much more bigger).

Finaly we have:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Edonkey Client
Connection"; flow:established,to_server; content:"|e3|"; offset:0;
depth:1; content:"|00 00 00 01|"; offset:2; depth:4;
classtype:policy-violation; sid:10000001; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Edonkey Server
Message"; flow:established,to_client; content:"|e3|"; offset:0; depth:1;
content:"|00 00 00 38|"; offset:2; depth:4; classtype:policy-violation;
sid:10000002; rev:1;)

Somebody can test and give his opinion about these rules ?

Regards


Le mer 08/10/2003 à 15:37, Nigel Houghton a écrit :
> Here's some more detailed information on the protocol you might find
> useful...
> 
> http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6.1.html
> 
> and for other p2p...
> 
> http://savannah.nongnu.org/download/mldonkey/docs/
> 
> Not to mention the ubiquitous FAQs...
> 
> http://www.emule-project.net/faq/start.htm
> 
> Good luck with your rule development, don't forget to write a doc for you
> rule too :)
> 
> Around 1:52pm Cedric Foll said:
> 
> CF :Hi,
> CF :
> CF :I'm working on school environment and I'd like to stop Edonkey traffic.
> CF :I've wrote the folowing rule for detect edonkey:
> CF :alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Edonkey
> CF :Traffic"; flow:established,to_server; content:"|e3|"; offset:0; depth:1;
> CF :classtype:policy-violation; sid:10000001; rev:1;)
> CF :
> CF :In fact in edonkey protocol, all packet seem to have the first byte of
> CF :the data layer set to 0x03.
> CF :I get very few false positives.
> CF :
> CF :Regards.
> CF :
> CF :
> 
> -------------------------------------------------------------
> Nigel Houghton   Security Research Engineer   Sourcefire Inc.
>                  Vulnerability Research Team
> 
> "Mankind hasn't even got the technology to create a toupee
> that doesn't get big laughs." -- Lister
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- 
Cedric Foll
Ingénieur réseaux, Rectorat de Rouen
mèl: cedric.foll at ...1947...
tèl: 02 35 14 77 51

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031008/91e734df/attachment.sig>


More information about the Snort-sigs mailing list