[Snort-users] Gnutella

Matt Kettler mkettler at ...4108...
Thu Apr 3 11:51:21 EST 2003


It has absolutely nothing to do with gnutella. The rule is pretty wide open 
to false-positives and basically looks for "GET " sent at the start of a 
TCP frame to some port other than 80.

If you transfer a lot of email with the all-caps string GET them snort will 
eventually trigger the rule just by random chance of it being at the start 
of a segment.

p2p.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella 
GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; 
classtype:misc-activity;sid:1432;  rev:3;)


At 01:07 PM 4/3/2003 -0500, Keg wrote:
>I have a P2P Gnutella GET alarm generated for some requests from mail 
>servers to 11 addresses, to which it connects on port 25. It looks like a 
>legit traffic. Can anybody clarify what it as to with Gnutella?
>--





More information about the Snort-users mailing list