[Snort-sigs] signature for SoulSeek P2P?

Alex Kirk alex.kirk at ...435...
Mon Aug 16 08:41:05 EDT 2004


Uh, I would think that both of these would be prone to some serious 
false positive/negative issues. The first rule is whacking an entire 
class C subnet -- which I somehow doubt that these guys servers use. 
Even if you can prove me wrong there (which is indeed possible), what 
happens when they switch their servers' location? The rule's dead. The 
same problem exists with the second rule, which from looking at the pcap 
I've got is just watching for this thing to connect to the soulseek 
servers. What happens if they change their domain name? The rule's hosed.

If we want to have a rule that really pins down Soulseek traffic, we 
need to be looking at the details of the protocol -- because that's a 
million times harder for a P2P network to change than their login 
servers, IP addresses, etc. That in mind, there's two things that jump 
out at me as pieces to trigger on: the fact that the first four bytes 
are always a length field, and that there are message codes in the next 
four bytes (based on the protcol information at 
http://cvs.sourceforge.net/viewcvs.py/soleseek/SoleSeek/doc/protocol.html?rev=HEAD). 


I still want to look a bit more closely at this thing before I propose 
any kind of rule, but remember: look at the underlying 
protocol/vulnerability when writing a rule, don't go for easily changed, 
sometimes superfluous bits on top. You're more likely to get a solid, 
lasting rule that way.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> See how these work:
>
> alert tcp $HOME_NET any -> 38.115.131.0/24 2240 (msg:"P2P Soulseek 
> traffic"; classtype:policy-violation; sid:1000001; rev:1;)
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Soulseek"; 
> content:"slsknet"; classtype:policy-violation; sid:1000002; rev:1;)
>
> -----Original Message-----
>
> From: snort-sigs-admin at lists.sourceforge.net 
> [_mailto:snort-sigs-admin at ...2711...] On Behalf Of 
> twebster at ...2725...
>
> Sent: Thursday, August 12, 2004 1:38 PM
>
> To: snort-sigs at lists.sourceforge.net
>
> Subject: [Snort-sigs] signature for SoulSeek P2P?
>
>  
>
> Does anyone have a snort signature to detect SoulSeek 
> (_www.slsknet.org_ 
> <http://mailcenter2.comcast.net/wm/toolbar/www.slsknet.org>) file 
> sharing traffic?
>
> thanks
>
> tony
>
>  
>
> -------------------------------------------------------
>
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 
> 50% off Retail on Ink & Toner - Free Shipping and Free Gift. 
> _http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285_
>
> _______________________________________________
>
> Snort-sigs mailing list
>
> Snort-sigs at lists.sourceforge.net 
> _https://lists.sourceforge.net/lists/listinfo/snort-sigs_
>





More information about the Snort-sigs mailing list