[Snort-users] rule help for a beginner [long sorry]

eamonn doyle edoyle at ...11544...
Wed Apr 14 15:38:03 EDT 2004


Hello,

I am trying to modify an existing rule that is giving me some problems:

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: p2p.rules,v 1.11 2003/10/20 15:03:11 chrisgreen Exp $
#-------------
# P2P RULES
#-------------
# These signatures look for usage of P2P protocols, which are usually
# against corporate policy


This link below does state that " Any HTTP GET request to a port associated 
with a p2p application may generate a false positive event." 

http://www.snort.org/snort-db/sid.html?sid=1432

So I should I guess be expecting it, even thoughit appears to be a false 
positive in my environment.  I have users that connect to MS Livemeeting 
service and every time they do, this rule is triggered:

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; 
flow:to_server,established; content:"GET "; offset:0; depth:4; 
classtype:policy-violation; sid:1432; rev:4;)

Alarms:
=====================================================
Apr 13 17:06:53 snort1 snort: [1:1432:4] P2P GNUTella GET
[Classification: Potential Corporate Privacy Violation] [Priority: 1]:
{TCP} 172.16.15.32:40361 -> 204.176.46.191:8005
Apr 13 17:09:41 snort1 snort: [1:1432:4] P2P GNUTella GET
[Classification: Potential Corporate Privacy Violation] [Priority: 1]:
{TCP} 172.16.5.57:2821 -> 204.176.46.185:8005
Apr 13 17:40:57 snort1 snort: [1:1432:4] P2P GNUTella GET
[Classification: Potential Corporate Privacy Violation] [Priority: 1]:
{TCP} 172.16.15.32:40541 -> 204.176.46.191:8005
Apr 13 17:43:06 snort1 snort: [1:1432:4] P2P GNUTella GET
[Classification: Potential Corporate Privacy Violation] [Priority: 1]:
{TCP} 172.16.15.4:7407 -> 204.176.46.190:8005 
=====================================================

whois data:
=====================================================
doyle at ...11646...:~> whois 204.176.46.191
UUNET Technologies, Inc. UUNETCBLK176-179 (NET-204-176-0-0-1)
204.176.0.0 - 204.179.255.255
Placeware, Inc. UU-204-176-46-D2 (NET-204-176-46-0-1)
204.176.46.0 - 204.176.46.255
=====================================================
Placeware=livemeeting now that MS bought them.
================================

I have added a variable to my snort.conf to use in the rule:

# modify the p2p rule to avoid detection on the livemeeting servers.
var LIVEMEETING 204.176.46.0/24

And I have modified the rule as follows adding the !$LIVEMEETING and the []:

alert tcp $HOME_NET any -> [$EXTERNAL_NET,!$LIVEMEETING] !80 (msg:"P2P 
GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; 
classtype:policy-violation; sid:1432; rev:4;)

Then restarted everything with no complaints from the logs, but I still seem 
to get the alarms.  

snort1:/var/log/snort/204.176.46.190 # cat TCP\:8005-7407
[**] P2P GNUTella GET [**]
04/13-17:43:06.769467 172.16.15.4:7407 -> 204.176.46.190:8005
TCP TTL:128 TOS:0x0 ID:30612 IpLen:20 DgmLen:267 DF
***AP*** Seq: 0xA5D85ECC  Ack: 0xE00C147  Win: 0xFD5C  TcpLen: 20
47 45 54 20 2F 70 61 67 65 20 48 54 54 50 2F 31  GET /page HTTP/1
2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent:
4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D  Mozilla/4.0 (com
70 61 74 69 62 6C 65 20 3B 20 4D 53 49 45 20 36  patible ; MSIE 6
2E 30 2E 32 38 30 30 2E 31 31 30 36 20 3B 20 4D  .0.2800.1106 ; M
69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73  icrosoft Windows
20 32 30 30 30 20 53 65 72 76 69 63 65 20 50 61   2000 Service Pa
63 6B 20 33 20 3B 20 50 6C 61 63 65 77 61 72 65  ck 3 ; Placeware
20 52 50 43 20 31 2E 30 29 0D 0A 48 6F 73 74 3A   RPC 1.0)..Host:
20 76 61 70 77 62 64 2E 6F 70 73 2E 70 6C 61 63   vapwbd.ops.plac
65 77 61 72 65 2E 63 6F 6D 3A 38 30 30 35 0D 0A  eware.com:8005..
43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70  Connection: Keep
2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F  -Alive..Cache-Co
6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D  ntrol: no-cache.
0A 0D 0A                  


Is there something very obvious that I am doing wrong?
Thanks
Eamonn  




More information about the Snort-users mailing list