[Snort-sigs] winmx bad sig

Nigel Houghton nigel at ...435...
Tue May 18 12:03:01 EDT 2004

On  0, Charles Lacroix <chuck at ...2055...> allegedly wrote:
> A while back this signature was submitted, i tried it out and it crashed my 
> snort system because the arrow wasn't the right direction
> Colin Grady's sig:
> alert tcp $HOME_NET any <- $WINMX_SERVERS 7952 (msg:"P2P WinMX connection
> initiation"; flags:AP; dsize:149; classtype:policy-violation; rev:1;)
> My really basic untested yet but will allow snort to start sig:
> alert tcp $WINMX_SERVERS 7952 ->$HOME_NET any (msg:"P2P WinMX connection
> initiation"; flags:AP; dsize:149; classtype:policy-violation; rev:1;)

There are a few things to note about this rule. First is that the list of
WinMX servers is far from complete, the second is that the port is
different depending on the server being used, third why use flags instead
of flow?

WinMX is a client for the Napster or Opennap protocol, fortunately both
are well documented and it should be pretty straightforward to find this
information so you can write better rules to detect connections,
disconnections, file requests etc.. The existing p2p.rules should be a
good place to start with examples for rules that detect Napster activity.

The rule creation process relies heavily on good and complete research
into what you are trying to detect, I think more research is needed here.
Hope this helps with your rule, good luck :)

Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list