#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:37 UTC


#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4;)

Added 2015-10-07 17:58:42 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:3;)

Added 2011-10-12 19:13:14 UTC

Documentation: End users may attempt to take advantage of corporate bandwidth to download large files for their personal use. P2P? applications like Edonkey facilitate downloading large files easily. This can also introduce malware and viruses from untrusted sources in hacked files. The eDonkey network is a peer to peer network that relies on servers to connect users. It typically runs multiple international servers.

False Positives: Windows servers can send broadcast messages that trigger this alert. See also: http://www.iss.net/security_center/reference/vuln/Edonkey_Connect.htm

Analyst Response: Determine if the client or server are running Edonkey software. Remove or allow usage according to company policy.

reference:url,www.giac.org/paper/gsec/4071/fight-p2p-corporate-environment/106502; reference:url,www.giac.org/paper/gsec/4071/fight-p2p-corporate-environment/106502;

-- NetavarkaSuraksa - 2014-03-06


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; sid:2003310; rev:3;)

Added 2011-09-14 22:26:11 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003310; rev:3;)

Added 2011-02-04 17:22:23 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003310; rev:3;)

Added 2009-02-10 20:53:06 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003310; rev:3;)

Added 2009-02-10 20:53:06 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003310; rev:2;)

Added 2008-01-29 10:56:39 UTC

This rule is also commonly triggered by Skype traffic

-- JohnQPublic - 03 May 2008


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003310; rev:2;)

Added 2008-01-29 10:56:39 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003310; rev:1;)



Topic revision: r3 - 2014-03-06 - NetavarkaSuraksa
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats