[Snort-sigs] SID 1432 False Positive (P2P GNUTella client request)

lonewf at ...1841... lonewf at ...1841...
Mon Aug 16 07:52:35 EDT 2004


#This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
P2P GNUTella client request
--
Sid:1432

--
Summary:

--
Impact:

--
Detailed Information:

Perhaps I just have my SNORT (EXTERNAL_NET any) variable
confusing the rule but under false positives you can see going to
get updates for Fedora RC2 triggers this alert (and gnutella is not installed).
--
Affected Systems:
Fedora RC2 w/ SNORT 2.1.3 (Build 27)
--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

Date: Wed, 11 Aug 2004 17:53:58 -0400
To: root at ...2730...
Subject: ACID Incident Report
From: ACID Alert <acid at ...2730...>
 
Generated by ACID v0.9.6b23 on Wed, 11 Aug 2004 17:53:58 -0400
 
------------------------------------------------------------------------------
#(1 - 67) [2004-08-11 17:30:02] [snort/1432]  P2P GNUTella GET
IPv4: 10.16.99.213 -> 167.201.2.243
      hlen=5 TOS=0 dlen=344 ID=5493 flags=0 offset=0 TTL=64 chksum=2954
TCP:  port=32958 -> dport: 8080  flags=***AP*** seq=2825786630
      ack=2810501394 off=8 res=0 win=46 urp=0 chksum=56562
      Options:
       #1 - NOP len=0
       #2 - NOP len=0
       #3 - TS len=8 data=007C007A1D7D9338
Payload:  length = 292
 
000 : 47 45 54 20 68 74 74 70 3A 2F 2F 64 6F 77 6E 6C   GET http://downl
010 : 6F 61 64 2E 66 65 64 6F 72 61 2E 72 65 64 68 61   oad.fedora.redha
020 : 74 2E 63 6F 6D 2F 70 75 62 2F 66 65 64 6F 72 61   t.com/pub/fedora
030 : 2F 6C 69 6E 75 78 2F 63 6F 72 65 2F 32 2F 69 33   /linux/core/2/i3
040 : 38 36 2F 6F 73 2F 68 65 61 64 65 72 73 2F 68 65   86/os/headers/he
050 : 61 64 65 72 2E 69 6E 66 6F 20 48 54 54 50 2F 31   ader.info HTTP/1
060 : 2E 31 0D 0A 48 6F 73 74 3A 20 64 6F 77 6E 6C 6F   .1..Host: downlo
070 : 61 64 2E 66 65 64 6F 72 61 2E 72 65 64 68 61 74   ad.fedora.redhat
080 : 2E 63 6F 6D 0D 0A 41 63 63 65 70 74 2D 45 6E 63   .com..Accept-Enc
090 : 6F 64 69 6E 67 3A 20 69 64 65 6E 74 69 74 79 0D   oding: identity.
0a0 : 0A 50 72 6F 78 79 2D 41 75 74 68 6F 72 69 7A 61   .Proxy-Authoriza
0b0 : 74 69 6F 6E 3A 20 42 61 73 69 63 20 62 57 39 79   tion: Basic bW9y
0c0 : 63 6D 6C 6B 59 54 70 6C 63 48 59 79 4E 33 70 36   cmlSYTQlcHYyN3p6
0d0 : 0D 0A 49 66 2D 4D 6F 64 69 66 69 65 64 2D 53 69   ..If-Modified-Si
0e0 : 6E 63 65 3A 20 54 68 75 2C 20 31 33 20 4D 61 79   nce: Thu, 13 May
0f0 : 20 32 30 30 34 20 31 31 3A 31 31 3A 34 30 20 47    2004 11:11:40 G
100 : 4D 54 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20   MT..User-Agent:
110 : 52 48 4E 2D 41 70 70 6C 65 74 2F 32 2E 31 2E 37   RHN-Applet/2.1.7
120 : 0D 0A 0D 0A                                       ....
 
&

[I altered a few characters in the trace for the authentication piece]
--
False Negatives:

--
Corrective Action:

--
Contributors:
lonewf at ...1841...
-- 
Additional References:
http://www.snort.org/snort-db/sid.html?sid=1432

---
David





More information about the Snort-sigs mailing list