#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6;)

Added 2014-12-08 17:52:20 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6;)

Added 2014-04-14 19:22:49 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:5;)

Added 2011-10-12 19:28:40 UTC

False positive on Link-local Multicast Name Resolution used by some Windows Vista and 7. Packets contain the word UPDATE and are sent to the multicast address 224.0.0.252.

-- MrKrugger? - 24 Nov 2011

This is in fact a false positive, this is Link-Local Multicast Name Resolution traffic, this signature/rule needs to be modified or removed, this could be a good informational alert for LLMNR traffic and for admins to disable it if not used to reduce network clutter and potentially speed up their network. However, this is definitely NOT eMule/P2P/KAD network or anything of the sort.

-- DrewD - 2013-10-31

False positive ... MikroTik? Discovery Protocol

-- TheRobert - 2014-04-11


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; sid:2009971; rev:5;)

Added 2011-09-14 22:41:57 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:5;)

Added 2011-02-04 17:29:24 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:5;)

Added 2010-04-19 15:38:39 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:5;)

Added 2010-04-19 15:38:39 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:4;)

Added 2010-02-16 08:42:02 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:4;)

Added 2010-02-16 08:42:02 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; offset:0; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:3;)

Added 2009-09-26 20:00:37 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; offset:0; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:3;)

Added 2009-09-26 20:00:37 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; offset:0; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:2;)

Added 2009-09-23 20:04:26 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; offset:0; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:2;)

Added 2009-09-23 20:04:26 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; offset:0; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:2;)

Added 2009-09-23 20:00:38 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; offset:0; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:2;)

Added 2009-09-23 20:00:38 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? eMule KAD Network Hello Request (2)"; content:"|e4 10|"; offset:0; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; classtype:policy-violation; reference:url,emule-project.net; sid:2009971; rev:1;)

Added 2009-09-23 16:30:38 UTC


Topic revision: r4 - 2014-04-11 - TheRobert
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats