[Snort-sigs] False positive for P2P GNUTella client request (1432)

Nigel Houghton nigel at ...435...
Fri Jun 25 07:20:01 EDT 2004

On  0, Randy Bradley <bradley at ...2582...> allegedly wrote:
> --
> False Positives:
> Any HTTP connection to a URL with port 8080 will trigger this alert.

Please make sure you have the latest version of this rule. It should look
like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client
request"; flow:to_server,established; content:"GNUTELLA"; depth:8;
classtype:policy-violation; sid:1432; rev:6;)

Looking at that rule, I fail to see how any HTTP connection to port 8080
or any other port will generate an event unless it contains the string
"GNUTELLA" after a certain place in the packet data.

Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list