[Snort-sigs] Stopping P2P Traffic

Cedric Foll cedric.foll at ...1947...
Mon Oct 13 05:30:03 EDT 2003


For edonkey I've wrote that:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Edonkey Client
Connection"; flow:established,to_server; content:"|e3|"; offset:0;
depth:1; content:"|00 00 00 01|"; offset:2; depth:4;
classtype:policy-violation; sid:10000001; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Edonkey Server
Message"; flow:established,to_client; content:"|e3|"; offset:0; depth:1;
content:"|00 00 00 38|"; offset:2; depth:4; classtype:policy-violation;
sid:10000002; rev:1;)

Please test it before using flexresp.

Other P2P protocol should be detected by p2p.rules


Regards

Le sam 11/10/2003 à 19:28, Lepich, Jesse A Mr GLWACH a écrit :
> Please forgive me of my ignorance. I'm pretty new to snort.
>  
> Is it possible to stop P2P applications like Kazaa, Morpheus, etc, etc
> with Snort + FlexResp? If so could someone shoot me some example sigs?
>  
> Thanks!
>  
> -Jesse
>  
-- 
Cedric Foll
Ingénieur réseaux, Rectorat de Rouen
mèl: cedric.foll at ...1947...
tèl: 02 35 14 77 51

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031013/126eb8d8/attachment.sig>


More information about the Snort-sigs mailing list