p2p.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: p2p.rules,v 1.30.6.3 2008/01/24 16:22:10 vrtbuild Exp $
#-------------
# P2P RULES
#-------------
# These signatures look for usage of P2P protocols, which are usually
# against corporate policy

alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; metadata:policy security-ips drop; classtype:policy-violation; sid:549; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; metadata:policy security-ips drop; classtype:policy-violation; sid:550; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; metadata:policy security-ips drop; classtype:policy-violation; sid:551; rev:8;)
alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; metadata:policy security-ips drop; classtype:policy-violation; sid:552; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:policy security-ips drop; classtype:policy-violation; sid:1432; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; metadata:policy security-ips drop; classtype:policy-violation; sid:556; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; metadata:policy security-ips drop; classtype:policy-violation; sid:557; rev:7;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:561; rev:7;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:562; rev:6;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:563; rev:7;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:564; rev:8;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; metadata:policy security-ips drop; classtype:policy-violation; sid:565; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; metadata:policy security-ips drop; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; metadata:policy security-ips drop; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; metadata:policy security-ips drop; classtype:policy-violation; sid:2180; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; metadata:policy security-ips drop; classtype:policy-violation; sid:2181; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"P2P eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; metadata:policy security-ips drop; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:3;)
alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; metadata:policy security-ips drop; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|"; depth:4; offset:16; metadata:policy security-ips drop; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"P2P AOL Instant Messenger file receive attempt"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; metadata:policy security-ips drop; classtype:policy-violation; sid:3681; rev:3;)
alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"P2P AOL Instant Messenger file send attempt"; flow:from_server,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; metadata:policy security-ips drop; classtype:policy-violation; sid:3680; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"P2P Skype client successful install"; flow:to_server,established; uricontent:"/ui/"; uricontent:"/installed"; metadata:policy security-ips drop; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5692; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"P2P Skype client setup get newest version attempt"; flow:to_server,established; uricontent:"/ui/"; uricontent:"/getnewestversion"; content:"Host|3A| ui.skype.com"; metadata:policy security-ips drop; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5694; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"P2P Skype client start up get latest version attempt"; flow:to_server,established; uricontent:"/ui/"; uricontent:"/getlatestversion?ver="; content:"Host|3A| ui.skype.com"; metadata:policy security-ips drop; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5693; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Skype client login"; flow:to_client,established; flowbits:isset,skype.login; dsize:5; content:"|17 03 01 00|"; depth:4; metadata:policy security-ips drop; classtype:policy-violation; sid:5999; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Skype client login startup"; flow:to_server,established; dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login; metadata:policy security-ips drop; classtype:policy-violation; sid:5998; rev:4;)
alert tcp $HOME_NET 3531 -> $EXTERNAL_NET any (msg:"P2P Outbound Joltid PeerEnabler traffic detected"; flow:established,to_server; content:"User-Agent|3A|"; nocase; content:"PeerEnabler"; nocase; content:"joltid"; nocase; pcre:"/^User-Agent\x3A\s+PeerEnabler[^\r\n]+joltid/smi"; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453078786; reference:url,www.joltid.com; classtype:policy-violation; sid:12691; rev:1;)