#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; classtype:policy-violation; sid:2003317; rev:3;)

Added 2015-02-05 18:37:33 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; classtype:policy-violation; sid:2003317; rev:3;)

Added 2011-10-12 19:13:15 UTC

as JohnQ? Public wrote :

This rule is also commonly triggered by Skype traffic

-- JohnQPublic - 03 May 2008

Is there any way to modify the rule to stop these false positives?

-- EricVargas - 2014-08-26

We'll take a look at this tomorrow to see if anything can be done.

-- DarienH - 2014-08-26

When using the multicast address 224.0.0.252 on port 5355 this is commonly Link-Local Multicast Name Resolution http://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

-- MitchellArtin - 2015-02-05


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; sid:2003317; rev:3;)

Added 2011-09-14 22:26:12 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003317; rev:3;)

Added 2011-02-04 17:22:23 UTC

FP with Windows 2008 and WIndows Vista LLMNR o Link Local Multicast Name Resolution Service.

-- AgustinRoca - 15 Jun 2011

Thanks for the report Agustin. Anything in the packet we could use to eliminate the hits?

-- MattJonkman - 15 Jun 2011


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003317; rev:3;)

Added 2009-02-10 20:53:06 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Edonkey_Traffic; sid:2003317; rev:3;)

Added 2009-02-10 20:53:06 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003317; rev:2;)

Added 2008-01-29 10:56:39 UTC

This rule is also commonly triggered by Skype traffic

-- JohnQPublic - 03 May 2008


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003317; rev:2;)

Added 2008-01-29 10:56:39 UTC


alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE P2P? Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003317; rev:1;)



Topic revision: r7 - 2015-02-05 - MitchellArtin
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats