[Snort-sigs] Using snort to Identify P2P transfers.

Nigel Houghton nigel at ...435...
Wed Oct 1 09:37:05 EDT 2003


Looks to me like you are using a proxy server which means that any GET
request will trigger the rule. Instead of using !80 I might suggest
modifying to use the proxy port instead of 80.

Around 11:50am Dan Monjar said:

DM :--On Wednesday, October 01, 2003 09:22:34 AM -0400 Nigel Houghton
DM :<nigel at ...435...> wrote:
DM :
DM :> If there are
DM :> some false positives you have encountered with this rule please let
DM :> everyone know by posting your observations to the list. The same goes for
DM :> all rules.
DM :
DM :Perhaps you could explian what I am seeing?  I enable p2p rules last night
DM :and I am getting a bunch (like 7000) hits on this rule:
DM :
DM :------------
DM :Generated by ACID v0.9.6b23 on Wed,  1 Oct 2003 11:41:57 -0400
DM :
DM :---------------------------------------------------------------------------
DM :---
DM :#(1 - 13653) [2003-10-01 11:30:22] [snort/1432]  P2P GNUTella GET
DM :IPv4: 10.155.1.10 -> 216.120.6.4
DM :      hlen=5 TOS=0 dlen=423 ID=1904 flags=0 offset=0 TTL=60 chksum=19392
DM :TCP:  port=4722 -> dport: 8879  flags=***AP*** seq=952033353
DM :      ack=2324578571 off=5 res=0 win=61440 urp=0 chksum=1874
DM :Payload:  length = 383
DM :
DM :000 : 47 45 54 20 2F 73 74 69 6C 6C 3F 63 61 6D 3D 30   GET /still?cam=0
DM :010 : 26 69 3D 34 36 37 3A 31 30 36 35 30 32 32 31 31   &i=467:106502211
DM :020 : 37 36 35 30 3A 30 20 48 54 54 50 2F 31 2E 30 0D   7650:0 HTTP/1.0.
DM :030 : 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65   .Accept: */*..Re
DM :040 : 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77   ferer: http://ww
DM :050 : 77 2E 73 61 6E 64 69 65 67 6F 7A 6F 6F 2E 6F 72   w.sandiegozoo.or
DM :060 : 67 2F 70 61 6E 64 61 73 2F 70 61 6E 64 61 63 61   g/pandas/pandaca
DM :070 : 6D 2F 69 6E 64 65 78 2E 68 74 6D 6C 0D 0A 41 63   m/index.html..Ac
DM :080 : 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65   cept-Language: e
DM :090 : 6E 2D 75 73 0D 0A 55 73 65 72 2D 41 67 65 6E 74   n-us..User-Agent
DM :0a0 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63   : Mozilla/4.0 (c
DM :0b0 : 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20   ompatible; MSIE
DM :0c0 : 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20   6.0; Windows NT
DM :0d0 : 35 2E 30 29 0D 0A 56 69 61 3A 20 31 2E 30 20 70   5.0)..Via: 1.0 p
DM :0e0 : 72 6F 78 79 2E 6F 72 67 74 65 6B 2E 63 6F 6D 3A   roxy.orgtek.com:
DM :0f0 : 38 30 20 28 73 71 75 69 64 2F 32 2E 35 2E 53 54   80 (squid/2.5.ST
DM :100 : 41 42 4C 45 33 29 0D 0A 58 2D 46 6F 72 77 61 72   ABLE3)..X-Forwar
DM :110 : 64 65 64 2D 46 6F 72 3A 20 31 30 2E 31 35 35 2E   ded-For: 10.155.
DM :120 : 34 2E 38 37 0D 0A 48 6F 73 74 3A 20 70 61 6E 64   4.87..Host: pand
DM :130 : 61 6F 73 2E 63 61 6D 7A 6F 6E 65 2E 63 6F 6D 3A   aos.camzone.com:
DM :140 : 38 38 37 39 0D 0A 43 61 63 68 65 2D 43 6F 6E 74   8879..Cache-Cont
DM :150 : 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35 39   rol: max-age=259
DM :160 : 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   200..Connection:
DM :170 : 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A       keep-alive....
DM :------------
DM :
DM :but the payload looks like a nomral HTTP GET... is it not?
DM :
DM :--
DM :Daniel Monjar
DM :IS Manager, Technical Services
DM :bioM�rieux, Inc.
DM :Durham, NC US

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister

Message dated: Oct 1




More information about the Snort-sigs mailing list