[Snort-sigs] suggested modification to gnutella rules

Michael Scheidell scheidell at ...249...
Tue Jun 25 06:06:01 EDT 2002


One of our clients extensivly uses a procy server.
gunutella rules (in policy.rules on 1.8x, and in p2p.rules in 1.9x)
creates massive false alerts.

(one for every 'get' client does through proxy server)

the !80 doesn't stop it, and yes, maybe ports lists would.
!80,!8080,!8000,!8001,!3028

Would this patch stop it as well?
adding in ! "GET http" )

--- policy.rules.orig	Mon Jun 24 15:30:17 2002
+++ policy.rules	Tue Jun 25 08:54:52 2002
@@ -61,7 +61,7 @@
 alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flags:A+; content:"|00 0600|"; offset:1; depth:3; classtype:misc-activity; sid:550;  rev:5;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flags:A+; content:"|00 cb00|"; offset:1; depth:3; classtype:misc-activity; sid:551;  rev:4;)
 alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flags:A+; content:"|00 5f02|"; offset:1; depth:3; classtype:misc-activity; sid:552;  rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flags:A+; content:"GET "; offset:0; depth:4; classtype:misc-activity; sid:1432;  rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flags:A+; content: ! "GET http"; content: content:"GET "; offset:0; depth:15;  classtype:misc-activity; sid:1432;  rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flags:A+; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:556;  rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flags:A+; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:557;  rev:5;)
 alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flags:A+; content:".mp3"; nocase; classtype:misc-activity; sid:561;  rev:5;)
-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/





More information about the Snort-sigs mailing list