Re: [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer

We've got a set of edonkey rules up on bleedingsnort that were submitted 
by Chich and Sam Evans that I've been having great accuracy with.

If you have a need I'd try those. Let us know how the accuracy is for you.

Matt

Chich Thierry wrote:
> Russell Fulton wrote:
>
> > GEN:SID   1:2586   Message  P2P eDonkey transfer  
> > Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (msg:"P2P eDonkey
> > transfer"; flow:established; content:"|E3|"; depth:1;
> > reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; 
> > classtype:policy-violation; sid:2586; rev:1;)
> >
> > I am seeing significant numbers of false +ve on this rule for data
> > coming back from web servers where the source port happens to be 4242
> > and the first byte of the packet is 0XE3.  I wonder if a to_server would
> > fix this?  (since I don't know the EDonkey protocol it may be the server
> > that send the E3 in which case this won't work).
> >  
>
> It is not possible to specify  the servers. Edonkey is a peer to peer 
> program
> that allow users to share movies or music (mostly are illegal contents).
> However, this rule is not  specific enough. I believe we should supress 
> it or
> replace with an other one.
>
> Thierry Chich


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs