mkettler at ...4108...
Thu Apr 3 11:51:21 EST 2003
It has absolutely nothing to do with gnutella. The rule is pretty wide open
to false-positives and basically looks for "GET " sent at the start of a
TCP frame to some port other than 80.
If you transfer a lot of email with the all-caps string GET them snort will
eventually trigger the rule just by random chance of it being at the start
of a segment.
p2p.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella
GET"; flow:to_server,established; content:"GET "; offset:0; depth:4;
At 01:07 PM 4/3/2003 -0500, Keg wrote:
>I have a P2P Gnutella GET alarm generated for some requests from mail
>servers to 11 addresses, to which it connects on port 25. It looks like a
>legit traffic. Can anybody clarify what it as to with Gnutella?
More information about the Snort-users