[Snort-sigs] SID 556 RE-contrib (apologies; I misread the rule)
gegomez at ...1889...
Mon Sep 22 06:58:31 EDT 2003
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella
client request"; flow:to_server,established; content:"GNUTELLA CONNECT";
depth:40; classtype:policy-violation; sid:556; rev:5;)
A network-internal client has connected to an external GNUTella server
and issued a connect attempt to begin communications.
Possible policy violation.
GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary
files. Depending on your site's policies, using it may be a policy
If not propely configured, GNUTella clients may accidentally share out
confidential files. GNUTella worms (which use deceptive names to
encourage download) and viruses may also be accidentally downloaded by a
This rule being triggered means that a GNUTella client has been detected
on your network.
Any system with a GNUTella client installed (available for most
Ease of Attack:
This rule detects the term "GNUTELLA CONNECT" on all ports. As a
result, any email, web page, or other network content that discusses the
protocol and its messages will trigger this alert.
Depends on acceptable use policies.
Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs