Re: Snort and Kazaa 2.0

["Sam Evans" <sam () neuroflux com>]

I would imagine you could.  I didn't spend a whole lot of time on it today,
other than to figure out the similarity that the Kazaa packets had with each
other.  I'll report back my findings tomorrow.

-Sam

----- Original Message -----
From: "Frank Knobbe" <fknobbe () knobbeits com>
To: "Sam Evans" <sam () neuroflux com>
Cc: <snort-users () lists sourceforge net>
Sent: Tuesday, October 22, 2002 9:52 PM
Subject: Re: [Snort-users] Snort and Kazaa 2.0

On Tue, 2002-10-22 at 20:03, Sam Evans wrote:
> Based on what we have seen, it no longer uses the 1214 port for it's
> traffic.  (Although, it does use it sometimes.. )  Wierd.
>
> Anyway, we have come up with a rule that seems to work very well for the
new
> Kazaa.   YMMV though..
>
> This is for snort 1.8.7 (but should work for 1.9.0).
>
> alert tcp any any -> any any (msg: "P2P Kazaa File Transfer"; content:
> "X-Kazaa"; rev: 1;)
>
> What we have seen, is that even though the new Kazaa doesn't use the
> standard 1214, the protocol still utilizes the X-Kazaa tag for it's
> transfers.  While this rule will not alert you as to when someone is
> searching for a file, it will alert when someone initiates a transfer
> session.  (Multiple times quite possibly, depending on the packet).


Can you define an offset or some other characteristic that would avoid
false positives? I mean, this email alone would trigger that rule... :)

Regards,
Frank





-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users