[Snort-sigs] P2P Question

Trevor Daucsavage trevor at ...777...
Wed Apr 16 11:20:41 EDT 2003


I have a question about this rule I'm using.  I am trying to stop people
from using P2P clients, and I am considering sending out tcp_resets for
this rule.  My concern is that this rule seems pretty general.  Does
anyone have any experience with false positives on this one?

Using snort 1.9.1.

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:misc-activity; sid:1432;  rev:3;)



Thanks in advance.

Trevor




More information about the Snort-sigs mailing list