At 10:39 AM 1/3/2002 -0500, Richard.CTR.Mickeytc.faa.gov wrote:
>I would like to watch for networked games (such as Doom), but it seems
>they use a multitude of options for connecting. I found clients that
>connect via IPX, TCP, UDP and Server side Java applets just poking around
>the Internet.
>
>Any help with Snort rules or general strategies for monitoring these will
>be appreciated.
>
>Thanks in Advance.
>
>Rich

Just a quick list.

Games that run off of MSN's GamingZone can be picked up
from TCP port 80 activity - this includes Age of Empires and Asheron's
Call, among others.

Baldur's Gate 2 can be detected at TCP port 8000.

Civ II intranet servers run from TCP port 4993.

Diablo 2 - TCP port 6112

Everquest - UDP port 53 on patch server lookups

Dark Age of Camelot - TCP port 1280

Gamespy - UDP port 25365

Giants - Citizen Kabuto - via Gamespy on TCP 28900
                                    - via Mplayer on TCP 8000

Half-Life - UDP 27015

Star Trek Voyager Elite Force - UDP 27960

Ultima Online - TCP 8888

Unreal Tournament - detectable off TCP port 80

I can't speak to Snort sigs - I use Dragon. At any rate,
I hope this helps - and Snort sigs should be easy to
write given a sniffer and copies of your target games.

Best regards,

Randy
-----
"You wield your heinous power like a heinous thing being wielded
by a guy wielding a heinous power." - scrappins

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]