[Snort-sigs] False positives in rule for P2P Gnutella (1432)

Javier Fernandez-Sanguino jfernandez at ...2106...
Tue Dec 30 07:50:31 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:policy-violation; sid:1432; rev:4;)

- --
Sid:
1432
- --
False Positives:

Due to the rule being limited to not scanning port 80 it will fire in
many cases when legitimate users access web servers in non-standard
ports (commonly 8080, 8000, etc.)

You will need to add "pass" rules for those ports if you don't want to
be bugged with this rule (since you cannot currently define a list of
valid ports, see FAQ item 4.26)


HTH. Regards

Javier Fernandez-Sanguino

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBP+v/PqO1I0N5hzVfEQLOUACgrMDA1QCOrPeRfTELLu7Skjg0y/kAn3f9
pVSoyzY+FMIaDZ9tzkuDEaoi
=XWru
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list