[Snort-sigs] winmx bad sig

Charles Lacroix chuck at ...2055...
Tue May 18 10:36:17 EDT 2004


A while back this signature was submitted, i tried it out and it crashed my 
snort system because the arrow wasn't the right direction



Colin Grady's sig:

var WINMX_SERVERS [216.127.74.62,66.132.146.48]

alert tcp $HOME_NET any <- $WINMX_SERVERS 7952 (msg:"P2P WinMX connection
initiation"; flags:AP; dsize:149; classtype:policy-violation; rev:1;)



My really basic untested yet but will allow snort to start sig:

alert tcp $WINMX_SERVERS 7952 ->$HOME_NET any (msg:"P2P WinMX connection
initiation"; flags:AP; dsize:149; classtype:policy-violation; rev:1;)





# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
var WINMX_SERVERS [216.127.74.62,66.132.146.48]
alert tcp $WINMX_SERVERS 7952 -> $HOME_NET any (msg:"P2P WinMX connection
initiation"; flags:AP; dsize:149; classtype:policy-violation; rev:1;)

--
Sid:

--
Summary:
A connection to the WinMX P2P network was initiated, and access to the
WinMX P2P network gained.

--
Impact:
Possible policy violation and abuse of network resources.

--
Detailed Information:
This event indicated the use of a WinMX P2P client. This may be against
company policy.

P2P clients share files residing locally to other machines on the P2P
network. This could result in public exposure of confidential information,
or the introduction of a virus or worm into a secure environment.

--
Affected Systems:
Any host using P2P client which uses a WinMX compatible protocol.

--
Attack Scenarios:
This indicates the use of a WinMX P2P client.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Check the host and remove WinMX

--
Contributors:
Colin Grady <colinREMOVETHIS at ...2159...>






More information about the Snort-sigs mailing list