[Snort-users] Snort and Kazaa 2.0

Sam Evans sam at ...5202...
Tue Oct 22 21:07:02 EDT 2002


I would imagine you could.  I didn't spend a whole lot of time on it today,
other than to figure out the similarity that the Kazaa packets had with each
other.  I'll report back my findings tomorrow.

-Sam

----- Original Message -----
From: "Frank Knobbe" <fknobbe at ...652...>
To: "Sam Evans" <sam at ...5202...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 22, 2002 9:52 PM
Subject: Re: [Snort-users] Snort and Kazaa 2.0

On Tue, 2002-10-22 at 20:03, Sam Evans wrote:
> Based on what we have seen, it no longer uses the 1214 port for it's
> traffic.  (Although, it does use it sometimes.. )  Wierd.
>
> Anyway, we have come up with a rule that seems to work very well for the
new
> Kazaa.   YMMV though..
>
> This is for snort 1.8.7 (but should work for 1.9.0).
>
> alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content:
> "X-Kazaa"; rev: 1;)
>
> What we have seen, is that even though the new Kazaa doesn't use the
> standard 1214, the protocol still utilizes the X-Kazaa tag for it's
> transfers.  While this rule will not alert you as to when someone is
> searching for a file, it will alert when someone initiates a transfer
> session.  (Multiple times quite possibly, depending on the packet).


Can you define an offset or some other characteristic that would avoid
false positives? I mean, this email alone would trigger that rule... :)

Regards,
Frank







More information about the Snort-users mailing list