[Snort-sigs] signature for SoulSeek P2P?
matt at ...2436...
Mon Aug 16 10:26:18 EDT 2004
We've also got this up on bleedingsnort.com:
alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"BLEEDING-EDGE P2P
Soulseek Filesearch Results"; classtype:policy-violation; content:"|09
00 00 00 78|"; sid:2001187; rev:1;)
Alex Kirk wrote:
> Uh, I would think that both of these would be prone to some serious
> false positive/negative issues. The first rule is whacking an entire
> class C subnet -- which I somehow doubt that these guys servers use.
> Even if you can prove me wrong there (which is indeed possible), what
> happens when they switch their servers' location? The rule's dead. The
> same problem exists with the second rule, which from looking at the pcap
> I've got is just watching for this thing to connect to the soulseek
> servers. What happens if they change their domain name? The rule's hosed.
> If we want to have a rule that really pins down Soulseek traffic, we
> need to be looking at the details of the protocol -- because that's a
> million times harder for a P2P network to change than their login
> servers, IP addresses, etc. That in mind, there's two things that jump
> out at me as pieces to trigger on: the fact that the first four bytes
> are always a length field, and that there are message codes in the next
> four bytes (based on the protcol information at
> I still want to look a bit more closely at this thing before I propose
> any kind of rule, but remember: look at the underlying
> protocol/vulnerability when writing a rule, don't go for easily changed,
> sometimes superfluous bits on top. You're more likely to get a solid,
> lasting rule that way.
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
>> See how these work:
>> alert tcp $HOME_NET any -> 22.214.171.124/24 2240 (msg:"P2P Soulseek
>> traffic"; classtype:policy-violation; sid:1000001; rev:1;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Soulseek";
>> content:"slsknet"; classtype:policy-violation; sid:1000002; rev:1;)
>> -----Original Message-----
>> From: snort-sigs-admin at lists.sourceforge.net
>> [_mailto:snort-sigs-admin at ...2711...] On Behalf Of
>> twebster at ...2725...
>> Sent: Thursday, August 12, 2004 1:38 PM
>> To: snort-sigs at lists.sourceforge.net
>> Subject: [Snort-sigs] signature for SoulSeek P2P?
>> Does anyone have a snort signature to detect SoulSeek
>> <http://mailcenter2.comcast.net/wm/toolbar/www.slsknet.org>) file
>> sharing traffic?
>> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save
>> 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs