Snort mailing list archives

Previous By Date Next
Previous By Thread Next

signature needed for imesh p2p

From: Jasmine CHUA <Jasmine.Chua () internationalsos com>
Date: Wed, 10 Mar 2004 16:03:23 +0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi

I am just wondering if anyone has been able to capture imesh P2P traffic
successfully using snort? I tried to come out with these two signatures but
I think it's not good enough and my IDS still does not detect imesh.:-(

alert tcp any any -> any any (msg:"iMesh P2P GET request";
flow:to_server,established; content:"GET
/profile/profile.php?";sid:1000030;rev:1;classtype:misc-attack;)
alert tcp any any -> any any (msg:"iMesh Possible P2P imesh.com host";
flow:to_server,established;
content:"imesh.com";sid:1000031;rev:1;classtype:misc-attack;)

Any hints will be appreciated! 

Thanks,
Jasmine

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQE7Lyv4wcdIw6CVjEQKBtACeLtHPDJ0cJzlwvabizHorl20/+uUAoINN
pc1u2w7WcbuT29uafUYupkIw
=v4dB
-----END PGP SIGNATURE-----

Attachment: PGPexch.rtf.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: