RE: [Snort-sigs] imesh signature?

From: Tony Hernandez <tonyh(at)housing.ufl.edu>
Date: Fri Mar 12 2004 - 10:11:37 EST

I'm fairly certain that imesh is or atleast was using fasttrack or direct connect. So one of those rules should atleast catch it. From what I remember it was the same thing as Kazaa so it was easily monitored.

-----Original Message-----

From: Jasmine CHUA [mailto:Jasmine.Chua@internationalsos.com] Sent: Wednesday, March 10, 2004 2:51 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] imesh signature?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

I am just wondering if anyone has been able to capture imesh P2P traffic successfully using snort? I tried to come out with these two signatures but I think it's not good enough and my IDS still does not detect imesh.:-(

alert tcp any any -> any any (msg:"iMesh P2P GET request"; flow:to_server,established; content:"GET /profile/profile.php?";sid:1000030;rev:1;classtype:misc-attack;) alert tcp any any -> any any (msg:"iMesh Possible P2P imesh.com host"; flow:to_server,established;
content:"imesh.com";sid:1000031;rev:1;classtype:misc-attack;)

Any hints will be appreciated!

Thanks,
Jasmine
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQE7I6f4wcdIw6CVjEQKYFACfTV3b20sKtuYyB9UgHY5GU2jQjvUAn17k cQ/n+nf2/G25cR3DTOPS8pVZ
=ek+D
-----END PGP SIGNATURE-----

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&opick

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Mar 12 10:48:14 2004