[Snort-sigs] Ares signature?

marcamone at ...1143... marcamone at ...1143...
Thu Aug 5 10:56:12 EDT 2004

See how these work out:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Ares traffic"; content:"User-Agent\: Ares"; reference:url,www.aresgalaxy.org; classtype:policy-violation; sid:1000001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Ares GET"; content:"GET /ares/"; reference:url,www.aresgalaxy.org; classtype:policy-violation; sid:1000002; rev:1;)
-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Tony Hernandez
Sent: Thursday, August 05, 2004 9:57 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Ares signature?

Has anyone been able to come up with a sig for this type of p2p software? 
I have looked at some captures but I dont see anything right off the bat that looks like I can get a sig from. Anyone inspect and wirte a sig for this one yet?

Tony Hernandez
Network Engineer
Dept. of Housing and Residence Education
University of Florida

This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040805/81eca2ed/attachment.html>

More information about the Snort-sigs mailing list