09-29-2004 05:38 AM - edited 03-10-2019 01:10 AM
Is there a signature to capture edonkey etc. via the proxy server? Id 11018 seams to only trap the connection from the proxy to the internet address. I would like to be able to be able to identify the internal device connection to the proxy. I have modified he signature to include the port of the proxy but this has not helped.
09-29-2004 03:52 PM
You're seeing the connection from the proxy server because that's where your sensor is positioned in your network. If you want it to alert on the connection from the original host, then you would have to move the sensors sniffing interface to somewhere BEFORE your proxy server on your network.
09-30-2004 12:28 AM
Hi there Glenn, thank you very much for your reply but I have to tell you that I do not completely agree. The traffic is monitored at that point. I am wondering if the application does not do something different in the connection too the proxy.
01-13-2005 09:35 AM
I was wondering if there where any new ideas from the list regarding a problem that I am experiencing regarding the Edonkey (110018) signature via a proxy server.
The application Emule/ed2k can be configured via any HTTP proxy. Therefore there is a connection to and from the proxy server. I am able to detect the portion from the server but so far have not been able to get the standard Cisco signature to detect for the connection to an HTTP proxy.
The only modification that was made to the Cisco signature was to add the destination port of the proxy server to the list of default ServicePorts.
As a test, I coupled a snort detector in parallel to the Cisco sensor. The snort signature for the test was donated by Ian Gosling and is a part of his contribution during his GCIH practical. I installed them on the snort device and immediately began detecting. The signature that was used to detect was as follows:
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection to server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|"; offset:2; depth:4; classtype:policy-violation; rev: 1; sid:2000330;)
The snort signature detected the connection to the proxy correctly and alerted whilst the Cisco signature failed to detect.
What have I overlooked? Is it perhaps something to do with direction of the connection?
01-13-2005 04:38 PM
Signature 11018 is essentially the same as the Snort signature presented. The difference is in the ports. Cisco's signature only examines the default eDonkey ports (4242,4661,4662). The Snort signature looks on all ports, so it will fire on the connection from the eDonkey client to the proxy server (likely ports 3128 or 1080). You could tune signature 11018 to add the port of your proxy server. We did not initially add any proxy ports to the signature, but we will investigate this for a future signature update.
01-13-2005 10:49 PM
thank you for your reply:
as above>>The only modification that was made to the Cisco signature was to add the destination port of the proxy server to the list of default ServicePorts.
01-18-2005 09:16 AM
I have a strange problem here with eDonkey.pdlm
I am using IOS c1700-k9sy7-mz.122-15.T13.bin, eDonkey.pdlm is the latest to download at the time I write these lines.
My configuration is:
class-map match-any P2P
match protocol kazaa2
match protocol bittorrent
match protocol gnutella
match protocol winmx
match protocol edonkey
match protocol http url "\.hash=*"
match protocol http url "/.hash=*"
policy-map QOS-WAN
class P2P
police cir percent 15
conform-action transmit
exceed-action drop
violate-action drop
interface ATM0.1 point-to-point
ip address 10.1.1.1 255.255.255.0
pvc 0/167
service-policy output QOS-WAN
The problem is simple and strange (at least for the momment for me). I can see edonkey/emule traffic if I apply 'ip nbar protocol-discovery' at atm0.1 but the router is unable to match that traffic at the policy-map:
#sh policy-map int atm0.1
Service-policy output: QOS-WAN
Class-map: P2P (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol bittorrent
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol edonkey
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "\.hash=*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "/.hash=*"
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 15 %
cir 19000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps
Any suggestions? Any comments?
Thanks in advanced.
Luis Miguel Cruz.
01-18-2005 10:58 AM
UPS! I forgot to say that emule client is running using a web proxy so I don't know exactly if there is a problem with the PDLM emule sign :P
01-21-2005 07:55 AM
Hi Luis,
I am very sorry, but I am not able to add value to your very good question however dont you think that it would be better to open a new conversation thread with a descriptive subject title for your post.
That may attract new readers that have already seen this thread, decided that they dont have the answer for my question and have moved on from here with "no intentions" of coming back.
Best regards
Darin
01-24-2005 07:55 AM
Yes, that question should go in another thread, yes, your are right. Sorry.
Anyway, in order to complete the information about edonkey PDLM, I can confirm that the pdlm doesn't run with the edonkey client using a proxy server. This is strange since "ip nbar protocol-discovery" detects it but it doesn't appear to run into the QoS CLI (class-map)
01-21-2005 07:41 AM
I feel that the current Edonkey signature is limited and locked into the default ports used but the application. It is possible that you could slip past the Cisco signature, if you where to use different ports on the application.
I would like to change my Cisco signature to rather look for two different parts of content. I found a signature that identifies ed2k with the following content.
content:"|e3|"; offset:0; depth:1; content:"|00000001| offset:2; depth:4
Could this be implemented in a Cisco signature and what would the regular expression look like?
[\xe3].*[\x00000001]
If it would be possible, I think that the modified signature would be better equipped to capture the source IP address on the way to an http proxy. Right now the signature only captures the connection from (the source IP is the proxy) the server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide