[Snort-sigs] P2P GNUTella GET causes lots of false positives

Shane Smith shane at ...1839...
Thu Sep 4 12:30:08 EDT 2003


Hey Folks,

I'm new to snort, so sorry if this has been covered recently.  SID 1432
regarding p2p networks seems weird to me.

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:policy-violation; sid:1432; rev:4;)

If I am reading this correctly, than any packet containing "GET" headed out
of my network, destined for any port other than 80 will trigger this rule.

Won't this cause a false positive with every HTTP GET request to any
external server with non-standard ports?

For example:
http://www.nhc.rtp.nc.us:8080/

Simply hitting that URL, causes the rule to fire.

Thanks folks,
Shane





More information about the Snort-sigs mailing list