[Snort-sigs] revised edonkey sigs using flowbits

Russell Fulton r.fulton at ...575...
Mon Mar 5 18:08:56 EST 2007


HI Folks,

I tweaked these two rules to first set and then check Flowbits:

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"BLEEDING-EDGE P2P Edonkey udp IP Request"; dsize:4; content:"|e3
1b|"; depth:2; flowbits:set, edk.ip.requestect; flowbits:noalert;
classtype:policy-violation;
reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php;
sid:2013308; rev:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
(msg:"BLEEDING-EDGE P2P Edonkey IP Transaction"; dsize:<20; content:"|e3
1c|"; depth:2; flowbits: isset, edk.ip.requestect;  
classtype:policy-violation;
reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php;
sid:2013309; rev:1;)

I then ran them along side the original and they detected all the replies.

The rules need their sids unmangled and revs changed if they are to be
added to the distribution.  Flowbits works fine with udp flows :)

Russell




More information about the Snort-sigs mailing list