[Snort-users] Newbie question on gnutella rule

Chris Hoover revoohc at ...10743...
Thu Dec 11 15:36:12 EST 2003


I am having a problem with one of the Gnutella rules.  It appears to be
labeling all of the  connections to my proxy server as gnutella hits
(proxy uses port 8080).  Please help me correct this since I definetly
want to sniff for p2p traffic on my companies network.

I am trying to understand why this rule is doing this and how to correct
it.

Thanks for any help,

chris

Snort rule 1432 (P2P GNUTella GET) 

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:policy-violation; sid:1432; rev:4;)






More information about the Snort-users mailing list