[Snort-users] Newbie question on gnutella rule

Josh Berry josh.berry at ...10221...
Sat Dec 13 07:44:02 EST 2003


Since you are using a proxy, all of you web clients are sending GET
requests for web pages to the proxy server on port 8080.  This rule will
alrm if it seems any GET request going to any port except 80.

Maybe you could create a port list of ports that you expect to see GET
requests on, just add !8080 to what is already there (!80).  I believe
that you have to do this like:

[!80,!8080]


> I am having a problem with one of the Gnutella rules.  It appears to be
> labeling all of the  connections to my proxy server as gnutella hits
> (proxy uses port 8080).  Please help me correct this since I definetly
> want to sniff for p2p traffic on my companies network.
>
> I am trying to understand why this rule is doing this and how to correct
> it.
>
> Thanks for any help,
>
> chris
>
> Snort rule 1432 (P2P GNUTella GET)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list