[Snort-users] Kazaa P2P Rules

Sam Evans sam at ...5202...
Tue Apr 22 10:43:19 EDT 2003


I've run into the same problem with the P2P GET -- I've disabled that rule
as it's worthless in it's current state.

As far as Kazaa goes, I have written a rule that seems to work quite
well...   Here's what I have:

alert tcp any 1024: -> any 1024: (msg: "P2P Kazaa File Get"; content:
"X-Kazaa"; sid: 1000000; rev:1;)

As far as Bearshare goes, that's a Gnutella based client, and they've
changed their protocol to the point where it's pretty difficult to pick it
out of the network traffic.  But, what I have also done is pick out the
Bearshare address space, and then create a rule based on traffic going to
their network on ports > 80..  This would identify clients connecting to
the Bearshare supernodes (since this has to be done initially to get a
list of supernodes)..

So, a rule could look like:

alert tcp any any -> 208.239.76.0/24 1024: (msg: "Possible Bearshare
Client Connection"; sid: 1000001; rev:1;)

Anyhow, YMMV..

-Sam


On Tue, 22 Apr 2003, Allan Dover wrote:

> Hey Erek and Gang,
>
> I tried using the P2P rules, to catch Kazaa users on my network.  When using the p2p rules i see allot of port 25 activity for mail. usually a P2P Get command.  Anyone know a way of addressing Kazaa and Bearshare to be monitored/triggered in Snort.
>
>
> Allan Dover
> Systems Administrator
>
> ###################################################
> This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any  printout thereof, immediately. Your co-operation is appreciated.




More information about the Snort-users mailing list