[Snort-users] Newbie question on gnutella rule
revoohc at ...10743...
Thu Dec 11 15:36:12 EST 2003
I am having a problem with one of the Gnutella rules. It appears to be
labeling all of the connections to my proxy server as gnutella hits
(proxy uses port 8080). Please help me correct this since I definetly
want to sniff for p2p traffic on my companies network.
I am trying to understand why this rule is doing this and how to correct
Thanks for any help,
Snort rule 1432 (P2P GNUTella GET)
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:policy-violation; sid:1432; rev:4;)
More information about the Snort-users