[Snort-sigs] Ares signature?

Alex Kirk alex.kirk at ...435...
Thu Aug 5 11:41:02 EDT 2004


First off, your User-Agent rule is broken; you don't escape things in a 
regular content match like you would a pcre.

Second, if you want to make sure that you catch this long-term -- they 
could easily change their User-Agent or the directory which they're 
fetching things from -- you need to know stuff unique to the protocol. 
Thus, you need pcaps, and hopefully some knowledge of what protocol 
you're running.

I'd sent the original poster something  off-list asking about the 
protocol and for pcaps, but since this has come up, I'm reiterating my 
request on-list, so everyone knows I'm willing to look into it.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> See how these work out:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Ares traffic"; 
> content:"User-Agent\: Ares"; reference:url,www.aresgalaxy.org; 
> classtype:policy-violation; sid:1000001; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Ares GET"; 
> content:"GET /ares/"; reference:url,www.aresgalaxy.org; 
> classtype:policy-violation; sid:1000002; rev:1;)
>
> -----Original Message-----
>
> From: snort-sigs-admin at lists.sourceforge.net 
> [_mailto:snort-sigs-admin at ...2711...] On Behalf Of Tony 
> Hernandez
>
> Sent: Thursday, August 05, 2004 9:57 AM
>
> To: snort-sigs at lists.sourceforge.net
>
> Subject: [Snort-sigs] Ares signature?
>
>  
>
> Has anyone been able to come up with a sig for this type of p2p software?
>
> _http://www.aresgalaxy.org/_
>
> I have looked at some captures but I dont see anything right off the 
> bat that looks like I can get a sig from. Anyone inspect and wirte a 
> sig for this one yet?
>
>  
>
>  
>
> Tony Hernandez
>
> Network Engineer
>
> Dept. of Housing and Residence Education
>
> University of Florida
>
>  
>
> -------------------------------------------------------
>
> This SF.Net email is sponsored by OSTG. Have you noticed the changes 
> on Linux.com, ITManagersJournal and NewsForge in the past few weeks? 
> Now, one more big change to announce. We are now OSTG- Open Source 
> Technology Group. Come see the changes on the new OSTG site. 
> _www.ostg.com_ 
> <http://mailcenter2.comcast.net/wm/toolbar/www.ostg.com> 
> _______________________________________________
>
> Snort-sigs mailing list
>
> Snort-sigs at lists.sourceforge.net 
> _https://lists.sourceforge.net/lists/listinfo/snort-sigs_
>





More information about the Snort-sigs mailing list