[Snort-sigs] Problems with SID 1432

Sam Evans sam at ...219...
Wed Apr 16 08:47:08 EDT 2003


I've noticed a huge amount of false positives with this rule.  It triggers
in proxy server environments.  The problem here is that offset 0 and
depth 4 are *exactly* the same as a normalized HTTP GET request.

While !80 excludes this rule from firing on HTTP Traffic, it does not
exclude HTTP requests sent through Proxy servers.  We've also noticed this
rule firing when HTML Emails come in, which seems odd in it's self..

Anyway, I'm not sure how to really go about fixing the rule so it's more
accurate, given how the Gnutella protocol works.  It's not as easy as
Kazaa because Gnutella doesn't include any additional headers (like
X-Kazaa)..

I'd like to suggest the removal of this rule based on the fact that it's
really not accurate in it's current state.

Here's the rule from snort-rules-current:

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:misc-activity; sid:1432;  rev:3;)



Thanks,
Sam





More information about the Snort-sigs mailing list