alert udp $HOME_NET any -> any any (msg:"BLEEDING-EDGE CURRENT Unknown P2P? Traffic -- Please report hits and packets to Bleeding@bleedingthreats.net or at the included reference"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; reference:url,doc.bleedingthreats.net/2003459; classtype:unknown; sid:2003459; rev:1;)

Auto-added on 2007-02-28 21:04:29 UTC


Text from an initial report:

Here's a weird one... have several users spitting out hundreds of UDP packets. What I know so far:

* the source port is fixed for a given user (but varies by user),

* the destination ports appear to be random, but more than a coincidental number are 6346 making me suspect this is some new gnutella-ish thing,

* they go out in "bursts" periodically (like polling)

* they seem to be the same 35-byte payloads regardless of destination

The payload is as follows:

0020 75 70 25 8e 89 45 up%..E

0030 32 a1 81 d0 3f fe 3e be e1 00 00 01 00 0c 00 00 2...?.>.........

0040 00 c3 02 49 50 40 83 53 43 50 41 00 00 ...IP@.SCPA..

-- MattJonkman - 28 Feb 2007

Identified! Thanks to Markus Lude:

Markus Lude wrote: > >> Do you have some hits from sid 2001809 too? Sid 2001809 is looking for
> >> limewire traffic. Maybe some unusal ports in your traffic? On which
> >> ports or port ranges do you see those packets?
> >>
> >> sid 2001809 rev 3:
> >>
> >> alert udp $HOME_NET 6346 -> $EXTERNAL_NET 6346:6700 (msg: "BLEEDING-EDGE P2P? Limewire P2P? UDP Traffic"; content:"|49 50 40 83 53 43 50 41|"; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:3; )

-- MattJonkman - 01 Mar 2007

This has been removed, changes integrated into 2001809

-- MattJonkman - 01 Mar 2007


Topic revision: r3 - 2007-03-01 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats