[Snort-sigs] P2P Question
trevor at ...777...
Wed Apr 16 11:20:41 EDT 2003
I have a question about this rule I'm using. I am trying to stop people
from using P2P clients, and I am considering sending out tcp_resets for
this rule. My concern is that this rule seems pretty general. Does
anyone have any experience with false positives on this one?
Using snort 1.9.1.
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:misc-activity; sid:1432; rev:3;)
Thanks in advance.
More information about the Snort-sigs