[Snort-users] P2P Gnutella Signature does a more precise or final version of the signature exist?

Jacob, Raymond A Jr raymond.jacob at ...7622...
Tue May 11 15:34:06 EDT 2004


googling I found the GET rule:

 alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; 
  flow:to_server,established; content:"GET "; offset:0; depth:4; 
  classtype:misc-activity; sid:1432; rev:3;) 

 that alerts on everything.

I also found a rule: 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; 
   flow:to_server,established; content:"GNUTELLA OK"; depth:40; 
   classtype:policy-violation; sid:557; rev:6;) 

Has anyone implemented a rule based on the
url contained in this message?
http://www.cs.ucr.edu/~tkarag/papers/tech.pdf

Does a signature exist in the snort rule database that is more precise than the first two rules  mentioned
in this email?

Thank you,
Raymond
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040511/d16b4a1d/attachment.html>


More information about the Snort-users mailing list