[Snort-users] Re: [Snort-sigs] P2P GNUTella GET causes lots of false positives

jon baer security at ...9153...
Thu Sep 4 14:18:03 EDT 2003


I had to change it to "GET /uri-res/" (|47 45 54 20 2f 75 72 69 2d 72 65 73
2f|) to monitor correctly ...

- Jon

----- Original Message -----
From: "Shane Smith" <shane at ...10031...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 3:29 PM
Subject: [Snort-sigs] P2P GNUTella GET causes lots of false positives


> Hey Folks,
>
> I'm new to snort, so sorry if this has been covered recently.  SID 1432
> regarding p2p networks seems weird to me.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
>
> If I am reading this correctly, than any packet containing "GET" headed
out
> of my network, destined for any port other than 80 will trigger this rule.
>
> Won't this cause a false positive with every HTTP GET request to any
> external server with non-standard ports?
>
> For example:
> http://www.nhc.rtp.nc.us:8080/
>
> Simply hitting that URL, causes the rule to fire.
>
> Thanks folks,
> Shane
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-users mailing list