[Snort-sigs] P2P GNUTella GET causes lots of false positives
shane at ...1839...
Thu Sep 4 12:30:08 EDT 2003
I'm new to snort, so sorry if this has been covered recently. SID 1432
regarding p2p networks seems weird to me.
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:policy-violation; sid:1432; rev:4;)
If I am reading this correctly, than any packet containing "GET" headed out
of my network, destined for any port other than 80 will trigger this rule.
Won't this cause a false positive with every HTTP GET request to any
external server with non-standard ports?
Simply hitting that URL, causes the rule to fire.
More information about the Snort-sigs