Hi there Glenn, thank you very much for your reply but I have to tell you that I do not completely agree. The traffic is monitored at that point. I am wondering if the application does not do something different in the connection too the proxy.

I was wondering if there where any new ideas from the list regarding a problem that I am experiencing regarding the Edonkey (110018) signature via a proxy server.

The application Emule/ed2k can be configured via any HTTP proxy. Therefore there is a connection “to” and “from” the proxy server. I am able to detect the portion “from” the server but so far have not been able to get the standard Cisco signature to detect for the connection “to” an HTTP proxy.

The only modification that was made to the Cisco signature was to add the destination port of the proxy server to the list of default ServicePorts.

As a test, I coupled a snort detector in parallel to the Cisco sensor. The snort signature for the test was donated by Ian Gosling and is a part of his contribution during his GCIH practical. I installed them on the snort device and immediately began detecting. The signature that was used to detect was as follows:

alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection to server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|"; offset:2; depth:4; classtype:policy-violation; rev: 1; sid:2000330;)

The snort signature detected the connection to the proxy correctly and alerted whilst the Cisco signature failed to detect.

What have I overlooked? Is it perhaps something to do with direction of the connection?

Signature 11018 is essentially the same as the Snort signature presented. The difference is in the ports. Cisco's signature only examines the default eDonkey ports (4242,4661,4662). The Snort signature looks on all ports, so it will fire on the connection from the eDonkey client to the proxy server (likely ports 3128 or 1080). You could tune signature 11018 to add the port of your proxy server. We did not initially add any proxy ports to the signature, but we will investigate this for a future signature update.

thank you for your reply:

as above>>The only modification that was made to the Cisco signature was to add the destination port of the proxy server to the list of default ServicePorts.

I have a strange problem here with eDonkey.pdlm

I am using IOS c1700-k9sy7-mz.122-15.T13.bin, eDonkey.pdlm is the latest to download at the time I write these lines.

My configuration is:

class-map match-any P2P

match protocol kazaa2

match protocol bittorrent

match protocol gnutella

match protocol winmx

match protocol edonkey

match protocol http url "\.hash=*"

match protocol http url "/.hash=*"

policy-map QOS-WAN

class P2P

police cir percent 15

conform-action transmit

exceed-action drop

violate-action drop

interface ATM0.1 point-to-point

ip address 10.1.1.1 255.255.255.0

pvc 0/167

service-policy output QOS-WAN

The problem is simple and strange (at least for the momment for me). I can see edonkey/emule traffic if I apply 'ip nbar protocol-discovery' at atm0.1 but the router is unable to match that traffic at the policy-map:

#sh policy-map int atm0.1

Service-policy output: QOS-WAN

Class-map: P2P (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol kazaa2

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol bittorrent

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol gnutella

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol winmx

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol edonkey

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "\.hash=*"

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "/.hash=*"

0 packets, 0 bytes

5 minute rate 0 bps

police:

cir 15 %

cir 19000 bps, bc 1500 bytes, be 1500 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

violated 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps, violate 0 bps

Any suggestions? Any comments?

Thanks in advanced.

Luis Miguel Cruz.

UPS! I forgot to say that emule client is running using a web proxy so I don't know exactly if there is a problem with the PDLM emule sign :P

Hi Luis,

I am very sorry, but I am not able to add value to your very good question however don’t you think that it would be better to open a new conversation thread with a descriptive subject title for your post.

That may attract new readers that have already seen this thread, decided that they don’t have the answer for my question and have moved on from here with "no intentions" of coming back.

Best regards

Darin

Yes, that question should go in another thread, yes, your are right. Sorry.

Anyway, in order to complete the information about edonkey PDLM, I can confirm that the pdlm doesn't run with the edonkey client using a proxy server. This is strange since "ip nbar protocol-discovery" detects it but it doesn't appear to run into the QoS CLI (class-map)

I feel that the current Edonkey signature is limited and locked into the default ports used but the application. It is possible that you could slip past the Cisco signature, if you where to use different ports on the application.

I would like to change my Cisco signature to rather look for two different parts of content. I found a signature that identifies ed2k with the following content.

“content:"|e3|"; offset:0; depth:1; content:"|00000001| offset:2; depth:4”

Could this be implemented in a Cisco signature and what would the regular expression look like?

“[\xe3].*[\x00000001]”

If it would be possible, I think that the modified signature would be better equipped to capture the source IP address on the way to an http proxy. Right now the signature only captures the connection from (the source IP is the proxy) the server