[Snort-sigs] Direct Connect p2p software

Charles Lacroix chuck at ...2055...
Tue Feb 10 11:08:03 EST 2004


Hi there, i havn't had time to test out
these rules, i was overloaded with other stuff
but a couple weeks ago i played with snort+p2p software


Here is what i got to detect people connecting to direct connect
and performing search. If you could test them out and let me know
what you think of them

Charles

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Direct Connect 
HubList"; flow:to_server,establis
hed; content:"GET /Pu blicHubList.config"; classtype:policy-violation; 
sid:9999; rev:1;) alert tcp $HOM
E_NET any -> $EXTERNAL_NET any (msg:"P2P Direct Connect NickList"; 
flow:to_server,established; content:
"NickLi st"; classtype:policy-violation; sid:9999; rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Direct Connect 
ConnectToMe"; flow:to_server,esta
blished; content:"Con nectToMe"; classtype:policy-violation; sid:9999; rev:1;) 
alert tcp $HOME_NET any
-> $EXTERNAL_NET any (msg:"P2P Direct Connect Search Hub"; 
flow:to_server,established; content:"Sear ch
 Hub"; classtype:policy-violation; sid:9999; rev:1;)






More information about the Snort-sigs mailing list