[Snort-sigs] signature for SoulSeek P2P?

Matthew Jonkman matt at ...2436...
Mon Aug 16 10:26:18 EDT 2004


We've also got this up on bleedingsnort.com:

alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"BLEEDING-EDGE P2P 
Soulseek Filesearch Results"; classtype:policy-violation; content:"|09 
00 00 00 78|"; sid:2001187; rev:1;)

Matt

Alex Kirk wrote:
> Uh, I would think that both of these would be prone to some serious 
> false positive/negative issues. The first rule is whacking an entire 
> class C subnet -- which I somehow doubt that these guys servers use. 
> Even if you can prove me wrong there (which is indeed possible), what 
> happens when they switch their servers' location? The rule's dead. The 
> same problem exists with the second rule, which from looking at the pcap 
> I've got is just watching for this thing to connect to the soulseek 
> servers. What happens if they change their domain name? The rule's hosed.
> 
> If we want to have a rule that really pins down Soulseek traffic, we 
> need to be looking at the details of the protocol -- because that's a 
> million times harder for a P2P network to change than their login 
> servers, IP addresses, etc. That in mind, there's two things that jump 
> out at me as pieces to trigger on: the fact that the first four bytes 
> are always a length field, and that there are message codes in the next 
> four bytes (based on the protcol information at 
> http://cvs.sourceforge.net/viewcvs.py/soleseek/SoleSeek/doc/protocol.html?rev=HEAD). 
> 
> 
> I still want to look a bit more closely at this thing before I propose 
> any kind of rule, but remember: look at the underlying 
> protocol/vulnerability when writing a rule, don't go for easily changed, 
> sometimes superfluous bits on top. You're more likely to get a solid, 
> lasting rule that way.
> 
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
> 
>> See how these work:
>>
>> alert tcp $HOME_NET any -> 38.115.131.0/24 2240 (msg:"P2P Soulseek 
>> traffic"; classtype:policy-violation; sid:1000001; rev:1;)
>>
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Soulseek"; 
>> content:"slsknet"; classtype:policy-violation; sid:1000002; rev:1;)
>>
>> -----Original Message-----
>>
>> From: snort-sigs-admin at lists.sourceforge.net 
>> [_mailto:snort-sigs-admin at ...2711...] On Behalf Of 
>> twebster at ...2725...
>>
>> Sent: Thursday, August 12, 2004 1:38 PM
>>
>> To: snort-sigs at lists.sourceforge.net
>>
>> Subject: [Snort-sigs] signature for SoulSeek P2P?
>>
>>  
>>
>> Does anyone have a snort signature to detect SoulSeek 
>> (_www.slsknet.org_ 
>> <http://mailcenter2.comcast.net/wm/toolbar/www.slsknet.org>) file 
>> sharing traffic?
>>
>> thanks
>>
>> tony
>>
>>  
>>
>> -------------------------------------------------------
>>
>> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 
>> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 
>> 50% off Retail on Ink & Toner - Free Shipping and Free Gift. 
>> _http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285_
>>
>> _______________________________________________
>>
>> Snort-sigs mailing list
>>
>> Snort-sigs at lists.sourceforge.net 
>> _https://lists.sourceforge.net/lists/listinfo/snort-sigs_
>>
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list