[Snort-sigs] False positive for P2P GNUTella client request (1432)

Nigel Houghton nigel at ...435...
Fri Jun 25 07:20:01 EDT 2004


On  0, Randy Bradley <bradley at ...2582...> allegedly wrote:
> --
> False Positives:
> Any HTTP connection to a URL with port 8080 will trigger this alert.

Please make sure you have the latest version of this rule. It should look
like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client
request"; flow:to_server,established; content:"GNUTELLA"; depth:8;
classtype:policy-violation; sid:1432; rev:6;)

Looking at that rule, I fail to see how any HTTP connection to port 8080
or any other port will generate an event unless it contains the string
"GNUTELLA" after a certain place in the packet data.

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list