#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:38:42 UTC
Added 2018-09-13 17:53:12 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 20:56:37 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4;)
Added 2015-10-07 17:58:42 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:3;)
Added 2011-10-12 19:13:14 UTC
Documentation: End users may attempt to take advantage of corporate bandwidth to download large files for their personal use.
P2P? applications like Edonkey facilitate downloading large files easily. This can also introduce malware and viruses from untrusted sources in hacked files. The eDonkey network is a peer to peer network that relies on servers to connect users. It typically runs multiple international servers.
False Positives: Windows servers can send broadcast messages that trigger this alert. See also:
http://www.iss.net/security_center/reference/vuln/Edonkey_Connect.htm
Analyst Response: Determine if the client or server are running Edonkey software. Remove or allow usage according to company policy.
reference:url,www.giac.org/paper/gsec/4071/fight-p2p-corporate-environment/106502; reference:url,www.giac.org/paper/gsec/4071/fight-p2p-corporate-environment/106502;
--
NetavarkaSuraksa - 2014-03-06
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; sid:2003310; rev:3;)
Added 2011-09-14 22:26:11 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003310; rev:3;)
Added 2011-02-04 17:22:23 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003310; rev:3;)
Added 2009-02-10 20:53:06 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003310; rev:3;)
Added 2009-02-10 20:53:06 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003310; rev:2;)
Added 2008-01-29 10:56:39 UTC
This rule is also commonly triggered by Skype traffic
--
JohnQPublic - 03 May 2008
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003310; rev:2;)
Added 2008-01-29 10:56:39 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE
P2P? Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003310; rev:1;)