alert udp $HOME_NET any -> any any (msg:"BLEEDING-EDGE CURRENT Unknown
P2P? Traffic -- Please report hits and packets to
Bleeding@bleedingthreats.net or at the included reference"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; reference:url,doc.bleedingthreats.net/2003459; classtype:unknown; sid:2003459; rev:1;)
Auto-added on 2007-02-28 21:04:29 UTC
Text from an initial report:
Here's a weird one... have several users spitting out hundreds of UDP packets. What I know so far:
* the source port is fixed for a given user (but varies by user),
* the destination ports appear to be random, but more than a coincidental number are 6346 making me suspect this is some new gnutella-ish thing,
* they go out in "bursts" periodically (like polling)
* they seem to be the same 35-byte payloads regardless of destination
The payload is as follows:
0020 75 70 25 8e 89 45 up%..E
0030 32 a1 81 d0 3f fe 3e be e1 00 00 01 00 0c 00 00 2...?.>.........
0040 00 c3 02 49 50 40 83 53 43 50 41 00 00
...IP@.SCPA..
--
MattJonkman - 28 Feb 2007
Identified! Thanks to Markus Lude:
Markus Lude wrote:
>
>> Do you have some hits from sid 2001809 too? Sid 2001809 is looking for
>
>> limewire traffic. Maybe some unusal ports in your traffic? On which
>
>> ports or port ranges do you see those packets?
>
>>
>
>> sid 2001809 rev 3:
>
>>
>
>> alert udp $HOME_NET 6346 -> $EXTERNAL_NET 6346:6700 (msg: "BLEEDING-EDGE P2P? Limewire P2P? UDP Traffic"; content:"|49 50 40 83 53 43 50 41|"; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:3; )
--
MattJonkman - 01 Mar 2007
This has been removed, changes integrated into 2001809
--
MattJonkman - 01 Mar 2007