[Snort-sigs] False positives for Napster signatures

Sam Evans wintrmte at ...2420...
Thu Dec 9 13:42:01 EST 2004

Since the original Napster service is long gone, I would like to
purpose that the Napster signatures in the p2p.rules file be removed.

We have had several false positives fire because of their loose
signature checking.  And by loose, this is what I am referring to:

alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client
Data"; flow:established; content:".mp3"; nocase;
classtype:policy-violation; sid:561; rev:6;)

Port 6699 is used on some IRC servers and we've had instances where
this has fired.  We have also had instances where the string .mp3 is
returned by the random high numbered port in a TCP stream.

Any thoughts?


More information about the Snort-sigs mailing list