[Snort-users] P2P rule not working

Jimmy Hernandez jimmyh at ...8455...
Wed Apr 9 14:58:09 EDT 2003


 I was monitoring my alert file to see if the P2P rule was being
triggered by visiting the kazaa website or by launching the kazaa
program and nothing was triggered. All the other rules that I am
currently using are working just fine. I am particularly interested in
rule 1318



alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack
(kazaa/morpheus) GET request"; flow:to_server,established; content:"GET
"; depth:4; reference:url,www.musiccity.com/technology.htm;
reference:url,www.kazaa.com; classtype:protocol-command-decode;
sid:1383; rev:3;)


I do not see a warning or error when I run snort for the p2p.rules. But
there is no alert when I visit the site or even download a file. If
downloading I notice (with netstat) that the established port is 2816
and the TIME_WAIT is 1214. Any thoughts? Is anyone having the same


Thanks for all your help!!



Jimmy Hernandez


------------------------------------------------------- This SF.net
email is sponsored by: Etnus, makers of TotalView, The debugger for
complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major
UNIX and Linux platforms. Try it free. www.etnus.com
_______________________________________________ Snort-users mailing list
Snort-users at lists.sourceforge.net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030409/224c2470/attachment.html>

More information about the Snort-users mailing list