[Snort-users] Snort on W2K: Rules for AudioGalaxy

Chris Green cmg at ...671...
Thu Feb 21 12:31:08 EST 2002


Brian Ertel <bsertel at ...4207...> writes:

> Does anyone have any good rules
> for monitoring AudioGalaxy traffic?
>


02/21-14:
xxx.xxx.xxx.xxx:2190 -> 64.245.58.230:21 TCP TTL:127 TOS:0x0 ID:55423 IpLen:20 DgmLen:45 DF
***AP*** Seq: 0x595495  Ack: 0xC3A358DA  Win: 0xFD40  TcpLen: 20
45 5F 00 03 05                                   E_...

Looks like lots of them do keep alives of that exact packet


so

alert tcp $HOME_NET any -> 64.245.58.0/23 any \
    (content: "|45 5F 00 03 05|"; offset: 0; depth 5;
     msg: "Audio Galaxy keepalive?")

Should give you a good idea of machines doing audiogalaxy.

Since you work at a school, I have probably the same problem of
tracking hoggish users right now and you may wish to try out
http://ipaudit.sourceforge.net to find bandwidth hogs.  It's designed
for that :-)
-- 
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-users mailing list