[Snort-sigs] P2P Question
dmuell at ...433...
Wed Apr 16 12:21:00 EDT 2003
On Mit, 16 Apr 2003, Trevor Daucsavage wrote:
> I have a question about this rule I'm using. I am trying to stop people
> from using P2P clients, and I am considering sending out tcp_resets for
> this rule. My concern is that this rule seems pretty general. Does
> anyone have any experience with false positives on this one?
Yes, it has a terrible amount of false positives and is in general not
usable. I use this rule for detecting Kazaa (GNUTella isn't widely used
anymore from my experience):
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"Kazaa access";
flow: from_client; content: "GET /.hash="; nocase; classtype:bad-unknown;)
even this rule is still fairly trivial (it triggers on this string anywhere
in the stream instead of just at the beginning), but it is foolproof enough
to find the Kazaa users.
More information about the Snort-sigs