[Snort-users] P2P rule not working

Jeff jcoppock1 at ...4371...
Wed Apr 9 16:29:02 EDT 2003


Jimmy Hernandez, 2003-Apr-09 14:56 -0700:
> Hi,
> 
>  I was monitoring my alert file to see if the P2P rule was being
> triggered by visiting the kazaa website or by launching the kazaa
> program and nothing was triggered. All the other rules that I am
> currently using are working just fine. I am particularly interested in
> rule 1318
> 
> http://www.snort.org/snort-db/sid.html?id=1383
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack
> (kazaa/morpheus) GET request"; flow:to_server,established; content:"GET
> "; depth:4; reference:url,www.musiccity.com/technology.htm;
> reference:url,www.kazaa.com; classtype:protocol-command-decode;
> sid:1383; rev:3;)
> 
> I do not see a warning or error when I run snort for the p2p.rules. But
> there is no alert when I visit the site or even download a file. If
> downloading I notice (with netstat) that the established port is 2816
> and the TIME_WAIT is 1214. Any thoughts? Is anyone having the same
> issue?

This rule is written for kazaa 1.x where you are likely running kazaa
2.x.  The newer kazaa changed the protocol to randomize the ports
used, no longer fixed to tcp:1214.  It also does some encoding of the
tcp streams to pass the data around.  Essentially, they made it very
difficult to detect kazaa activity.

I haven't seen anyway to detect it consistantly yet.  But I'm still
looking.

You could probably write a rule to detect the initial logon using
udp:1109.  But everything that is random.

jc

-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User




More information about the Snort-users mailing list