[Snort-users] Limewire

James Friesen lucretia at ...2281...
Thu Sep 6 07:28:01 EDT 2001


How about a signature to bypass normal method?  I mean, seeing "undefined
code" ICMP errors means little to me, especially if it's part of the normal
connection methodology.  I would be more interested in seeing if someone has
cracked a client or rewrote the stream to affect their own design within the
realm of a normal P2P connection. Warning me of a "Gnutella client" again
doesn't tell me if this is hostile, suspicious, or normal.

Perhaps if I worked in a uptight corporate environment where users could be
swapping dirty pictures I would be very interested in seeing any of this and
logging it, but from a security standpoint without restriction to the users
(activity) I would like to allow (read not be warned) normal activity, but
any other types of activity would be alerted.

Mopheus released an update 1.3.3 this week to address security functions.
To get the update you can download it from someone else who already got it.

Besides the common and well known risks of P2P, has anyone addressed the
functionality or bypass capacity of this and other known software tools that
utilize a similar connection scheme?

Examples of current P2P clients are:

Trillian (this has known bugs currently, but is in beta)
Morpheus - One of the larger of the P2P farms...
Kazaa - This and morpheus use the same connections and I beleive they
LimeWire - the JRE Gnutella client
iMesh - Not too much I can say about this one
Hotline - This uses distinct client/server wares to determine whether your
sharing or getting.
AudioGalaxy - This uses a distinct HTTP protocal for finding and retrieving
files.  They offer their servers as well as the users for downloads.

The first three seem to be the more popular and utilize a interesting
sharing technique.
The latter three I'm not as familiar with.

-----  James Friesen - Integration Specialist
Lucretia Enterprises - info at ...2282...
>:> -----Original Message-----
>:> From: snort-users-admin at lists.sourceforge.net
>:> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Stan
>:> Scalsky
>:> Sent: Wednesday, September 05, 2001 7:14 PM
>:> To: snort-users at lists.sourceforge.net
>:> Subject: Re: [Snort-users] Limewire
>:> > Has anyone captured a Limewire session and developed a Snort rule to
>:> detect
>:> > this specific variant of Gnutella?
>:> I find that some of the agents have a specific User-Agent
>:> string, LimeWire
>:> uses "User-Agent: LimeWire" in its html.
>:> -= stan
>:> _______________________________________________
>:> Snort-users mailing list
>:> Snort-users at lists.sourceforge.net
>:> Go to this URL to change user options or unsubscribe:
>:> https://lists.sourceforge.net/lists/listinfo/snort-users
>:> Snort-users list archive:
>:> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list