[Snort-users] P2P Gnutella Signature does a more precise or final version of the signature exist?
Jacob, Raymond A Jr
raymond.jacob at ...7622...
Tue May 11 15:34:06 EDT 2004
googling I found the GET rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:misc-activity; sid:1432; rev:3;)
that alerts on everything.
I also found a rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request";
flow:to_server,established; content:"GNUTELLA OK"; depth:40;
classtype:policy-violation; sid:557; rev:6;)
Has anyone implemented a rule based on the
url contained in this message?
Does a signature exist in the snort rule database that is more precise than the first two rules mentioned
in this email?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users