[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Couple P2P rules
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2009-02-23 17:16:59
Message-ID: 49A2DA0B.1010705 () jonkmans ! com
[Download RAW message or body]

Good stuff, few questions inline:

Campesi, Christopher wrote:
> Manolito P2P
> 
> alert udp $EXTERNAL_NET 41170 -> $HOME_NET any  (msg:"Manolito P2P Connectin
> (1)";content:"|3d 4a
> d9|";offset:0;depth:3;classtype:policy-violation;reference:url,manolito.com;
> sid:XXXXXXXXX;rev:1;)
> 
>  
> 
> alert udp $EXTERNAL_NET 41170 -> $HOME_NET any  (msg:"Manolito P2P
> Connection (2)";content:"|3e 4a
> d9|";offset:0;depth:3;classtype:policy-violation;reference:url,manolito.com;
> sid:XXXXXXXXX;rev:1;)
> 
>  
> 
> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 41170 (msg:"Manolito
> Ping";content:"|3d|";offset:0;depth:1;content:"|d9|";distance:1;content:"|ed
> bb|";within:20;classtype:policy-violation;reference:url,manolito.com;sid:XXX
> XXXXXX;rev:1;)
> 


Interesting ones. Can we do a dsize on them to help prevent falses on
things like ftp connections that might hit this port? Even just a less
than dsize?

>  
> 
> ThunderNetwork/Xunlei - Download Manager/Chat/P2P
> 
> It's all in Chinese so I have no idea what I'm clicking on, even with
> English translation pack it's still hard to figure out. The rule below cuts
> BitTorrent significantly, sometimes completely. Very popular on campus here
> with the international students. If someone wants a pcap I can provide that.
> Probably can make this rule better
> 
>  
> 
> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
> (msg:"ThunderNetwork UDP Traffic";dsize:<38;content:"|32 00 00
> 00|";offset:0;depth:4;classtype:policy-violation;reference:url,xunlei.com;re
> ference:url, en.wikipedia.org/wiki/Xunlei;sid:XXXXXXXXX;rev:1;)
> 

I think this is good as is. Little chance of falses, although possible.
Performence might be better if we were able to use a longer initial
content match. Is there more that could be used?

Thanks for the sigs! Great stuff.

Matt

>  
> 
> Regards, 
> 
>  
> 
> Chris
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic