Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] P2P eDonkey Signatures

from [Sam Evans] Network Security [Permanent Link]
Subject: [Snort-sigs] P2P eDonkey Signatures
Date: Wed, 8 Sep 2004 13:50:16 -0600 
Hello all..

I have done some research and have hopefully completed some fairly
robust signatures that will detect eDonkey clients running on a
network.  I have tested them in our environment, and they appear to be
working -- YMMV of course.

The only thing I am not sure of are the destination port ranges on the
outside.  In my testing, I never saw it go below 4660 or above 4799,
but this of course could be my testing methodology.

Never the less, here are the rules.  You should be able to use
resp:icmp_port on the UDP signatures, as well as resp:rst_all; on the
TCP ones.

--  RULES --

alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "P2P eDonkey
File Status"; content: "|e3 14|"; offset: 0; depth: 2; rev:1;
classtype:policy-violation;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "P2P eDonkey
File Status Request"; content: "|e3 11|"; offset: 0; depth:2; rev:1;
classtype:policy-violation;)

alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "P2P eDonkey
Server Status Request"; content: "|e3 96|"; offset:0; depth:2;
rawbytes; classtype:policy-violation; rev:1;)

alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg: "P2P eDonkey
Server Status"; content: "|e3 97|"; offset:0; depth:2; rawbytes;
classtype:policy-violation; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "P2P eDonkey
Search"; content: "|e3 0e|"; offset: 0; depth: 2; rawbytes;
classtype:policy-violation; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "P2P eDonkey
Hello Request"; content: "|e3|"; content: "|01|"; offset:0; depth: 7;
classtype:policy-violation; rev:1;)

_-_ END _-_

-Sam


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] P2P eDonkey Signatures, Sam Evans <=
Previous by Date:  Re: [Snort-sigs] PCRE in 1930.4 (IMAP auth literal overflow attempt), Brian
Next by Date:  Re: [Snort-sigs] UPDATE TO BLEEDINGSNORT RULESETS!!!!, Jose Maria Lopez
Previous by Thread:  Re: [Snort-sigs] SSH Scans, Federico Petronio
Next by Thread:  [Snort-sigs] false positive for 1:2383 - NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt, Peter A. Peterson II
Indexes:  [Date] [Thread] [Top] [All Lists]