[Snort-sigs] P2P Question

Wed Apr 16 12:21:00 EDT 2003

On Mit, 16 Apr 2003, Trevor Daucsavage wrote:

> I have a question about this rule I'm using.  I am trying to stop people
> from using P2P clients, and I am considering sending out tcp_resets for
> this rule.  My concern is that this rule seems pretty general.  Does
> anyone have any experience with false positives on this one?

Yes, it has a terrible amount of false positives and is in general not 
usable. I use this rule for detecting Kazaa (GNUTella isn't widely used 
anymore from my experience): 

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"Kazaa access"; 
flow: from_client; content: "GET /.hash="; nocase; classtype:bad-unknown;)

even this rule is still fairly trivial (it triggers on this string anywhere 
in the stream instead of just at the beginning), but it is foolproof enough 
to find the Kazaa users. 

-- 
Dirk