alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid:2001809; rev:6;)

Added 2010-06-28 22:46:59 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid:2001809; rev:6;)

Added 2010-06-28 22:46:59 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid: 2001809; rev:6;)

Added 2009-02-10 20:53:06 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Limewire; sid: 2001809; rev:6;)

Added 2009-02-10 20:53:06 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:5;)

Added 2008-01-29 10:31:04 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:5;)

Added 2008-01-29 10:31:04 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:4;)

Auto-added on 2007-03-01 05:51:24 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:4;)

Auto-added on 2007-03-01 01:00:31 UTC

I've taken the liberty of making the port ranges like so, and adding depth and offset to the original limewire sig:

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE P2P? Limewire P2P? UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:4;)

I think this will be accurate, but I want to make sure it's not going to overload sensors. Just being udp and over 1024 I think it'll be fine.

Please report how it goes

Matt

Matt Jonkman wrote: > Excellent! Glad thats identified... > > Now, should we consider altering this signature to look for a wider port > range? If we could add a depth or offset to nail that down some, the > content string is long enough that it shouldn't be a HUGE load addition. > > Can I assume that the depth and offset you had in your sig Jeff would > apply here and stay reliable? > > What expanded range of ports should we consider then? (I'm not > limewire-savvy) > > Matt > > Jeff Kell wrote: >> Markus Lude wrote: >>> Do you have some hits from sid 2001809 too? Sid 2001809 is looking for >>> limewire traffic. Maybe some unusal ports in your traffic? On which >>> ports or port ranges do you see those packets? >>> >>> sid 2001809 rev 3: >>> >>> alert udp $HOME_NET 6346 -> $EXTERNAL_NET 6346:6700 (msg: "BLEEDING-EDGE P2P? Limewire P2P? UDP Traffic"; content:"|49 50 40 83 53 43 50 41|"; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:3; ) >> Ah HAH! They just port jumped! >> >> Thanks Markus. Yes, they had fired some Limewire signatures earlier >> (which results in undesirable "corrective measures" being taken), at >> which point I guess they just changed the default port configurations. >> I didn't examine the existing signature closely enough. >> >> That makes perfect sense now. >> >> Jeff >> ___________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >

-- MattJonkman - 01 Mar 2007

alert udp $HOME_NET 6346 -> $EXTERNAL_NET 6346:6700 (msg: "BLEEDING-EDGE P2P? Limewire P2P? UDP Traffic"; content:"|49 50 40 83 53 43 50 41|"; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:3; )