[Snort-sigs] Using snort to Identify P2P transfers.

Dan Monjar daniel.monjar at ...1816...
Wed Oct 1 08:52:06 EDT 2003


--On Wednesday, October 01, 2003 09:22:34 AM -0400 Nigel Houghton 
<nigel at ...435...> wrote:

> If there are
> some false positives you have encountered with this rule please let
> everyone know by posting your observations to the list. The same goes for
> all rules.

Perhaps you could explian what I am seeing?  I enable p2p rules last night 
and I am getting a bunch (like 7000) hits on this rule:

------------
Generated by ACID v0.9.6b23 on Wed,  1 Oct 2003 11:41:57 -0400

---------------------------------------------------------------------------
---
#(1 - 13653) [2003-10-01 11:30:22] [snort/1432]  P2P GNUTella GET
IPv4: 10.155.1.10 -> 216.120.6.4
      hlen=5 TOS=0 dlen=423 ID=1904 flags=0 offset=0 TTL=60 chksum=19392
TCP:  port=4722 -> dport: 8879  flags=***AP*** seq=952033353
      ack=2324578571 off=5 res=0 win=61440 urp=0 chksum=1874
Payload:  length = 383

000 : 47 45 54 20 2F 73 74 69 6C 6C 3F 63 61 6D 3D 30   GET /still?cam=0
010 : 26 69 3D 34 36 37 3A 31 30 36 35 30 32 32 31 31   &i=467:106502211
020 : 37 36 35 30 3A 30 20 48 54 54 50 2F 31 2E 30 0D   7650:0 HTTP/1.0.
030 : 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65   .Accept: */*..Re
040 : 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77   ferer: http://ww
050 : 77 2E 73 61 6E 64 69 65 67 6F 7A 6F 6F 2E 6F 72   w.sandiegozoo.or
060 : 67 2F 70 61 6E 64 61 73 2F 70 61 6E 64 61 63 61   g/pandas/pandaca
070 : 6D 2F 69 6E 64 65 78 2E 68 74 6D 6C 0D 0A 41 63   m/index.html..Ac
080 : 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65   cept-Language: e
090 : 6E 2D 75 73 0D 0A 55 73 65 72 2D 41 67 65 6E 74   n-us..User-Agent
0a0 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63   : Mozilla/4.0 (c
0b0 : 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20   ompatible; MSIE
0c0 : 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20   6.0; Windows NT
0d0 : 35 2E 30 29 0D 0A 56 69 61 3A 20 31 2E 30 20 70   5.0)..Via: 1.0 p
0e0 : 72 6F 78 79 2E 6F 72 67 74 65 6B 2E 63 6F 6D 3A   roxy.orgtek.com:
0f0 : 38 30 20 28 73 71 75 69 64 2F 32 2E 35 2E 53 54   80 (squid/2.5.ST
100 : 41 42 4C 45 33 29 0D 0A 58 2D 46 6F 72 77 61 72   ABLE3)..X-Forwar
110 : 64 65 64 2D 46 6F 72 3A 20 31 30 2E 31 35 35 2E   ded-For: 10.155.
120 : 34 2E 38 37 0D 0A 48 6F 73 74 3A 20 70 61 6E 64   4.87..Host: pand
130 : 61 6F 73 2E 63 61 6D 7A 6F 6E 65 2E 63 6F 6D 3A   aos.camzone.com:
140 : 38 38 37 39 0D 0A 43 61 63 68 65 2D 43 6F 6E 74   8879..Cache-Cont
150 : 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35 39   rol: max-age=259
160 : 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   200..Connection:
170 : 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A       keep-alive....
------------

but the payload looks like a nomral HTTP GET... is it not?

--
Daniel Monjar
IS Manager, Technical Services
bioMérieux, Inc.
Durham, NC US
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031001/8afb6cba/attachment.sig>


More information about the Snort-sigs mailing list