[Snort-users] Snort on W2K: Rules for AudioGalaxy
cmg at ...671...
Thu Feb 21 12:31:08 EST 2002
Brian Ertel <bsertel at ...4207...> writes:
> Does anyone have any good rules
> for monitoring AudioGalaxy traffic?
xxx.xxx.xxx.xxx:2190 -> 220.127.116.11:21 TCP TTL:127 TOS:0x0 ID:55423 IpLen:20 DgmLen:45 DF
***AP*** Seq: 0x595495 Ack: 0xC3A358DA Win: 0xFD40 TcpLen: 20
45 5F 00 03 05 E_...
Looks like lots of them do keep alives of that exact packet
alert tcp $HOME_NET any -> 18.104.22.168/23 any \
(content: "|45 5F 00 03 05|"; offset: 0; depth 5;
msg: "Audio Galaxy keepalive?")
Should give you a good idea of machines doing audiogalaxy.
Since you work at a school, I have probably the same problem of
tracking hoggish users right now and you may wish to try out
http://ipaudit.sourceforge.net to find bandwidth hogs. It's designed
for that :-)
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.
More information about the Snort-users