[Snort-sigs] signature for SoulSeek P2P?
alex.kirk at ...435...
Mon Aug 16 08:41:05 EDT 2004
Uh, I would think that both of these would be prone to some serious
false positive/negative issues. The first rule is whacking an entire
class C subnet -- which I somehow doubt that these guys servers use.
Even if you can prove me wrong there (which is indeed possible), what
happens when they switch their servers' location? The rule's dead. The
same problem exists with the second rule, which from looking at the pcap
I've got is just watching for this thing to connect to the soulseek
servers. What happens if they change their domain name? The rule's hosed.
If we want to have a rule that really pins down Soulseek traffic, we
need to be looking at the details of the protocol -- because that's a
million times harder for a P2P network to change than their login
servers, IP addresses, etc. That in mind, there's two things that jump
out at me as pieces to trigger on: the fact that the first four bytes
are always a length field, and that there are message codes in the next
four bytes (based on the protcol information at
I still want to look a bit more closely at this thing before I propose
any kind of rule, but remember: look at the underlying
protocol/vulnerability when writing a rule, don't go for easily changed,
sometimes superfluous bits on top. You're more likely to get a solid,
lasting rule that way.
> See how these work:
> alert tcp $HOME_NET any -> 220.127.116.11/24 2240 (msg:"P2P Soulseek
> traffic"; classtype:policy-violation; sid:1000001; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Soulseek";
> content:"slsknet"; classtype:policy-violation; sid:1000002; rev:1;)
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [_mailto:snort-sigs-admin at ...2711...] On Behalf Of
> twebster at ...2725...
> Sent: Thursday, August 12, 2004 1:38 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] signature for SoulSeek P2P?
> Does anyone have a snort signature to detect SoulSeek
> <http://mailcenter2.comcast.net/wm/toolbar/www.slsknet.org>) file
> sharing traffic?
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save
> 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs