[Snort-sigs] SID 557 contrib

Gene Gomez gegomez at ...1889...
Mon Sep 22 06:58:22 EDT 2003


Rule:  

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client
request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40;
classtype:policy-violation; sid:557; rev:6;) 

--

Sid:

557

--

Summary:

A network-external server has okayed an internal GNUTella client
connection attempt and they have begun communications.

--

Impact:

Possible policy violation.

--

Detailed Information:

GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary
files.  Depending on your site's policies, using it may be a policy
violation.

If not propely configured, GNUTella clients may accidentally share out
confidential files.  GNUTella worms (which use deceptive names to
encourage download) and viruses may also be accidentally downloaded by a
client.

--

Affected Systems:

Any system with a GNUTella client installed (available for most
platforms)

--

Attack Scenarios:

N/A

--

Ease of Attack:

N/A

--

False Positives:

None known.

--

False Negatives:

None known.

--

Corrective Action:

Depends on acceptable use policies.

--

Contributors:

Gene R Gomez (gene!AT!gomezbrothers!DOT!com)

-- 

Additional References:

http://www.gnutella.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030922/fad8cf9b/attachment.html>


More information about the Snort-sigs mailing list