[Snort-users] false positive rules in snort

Lawrence R. Hughes, Sr. lhughes at ...14822...
Fri Jun 4 15:50:15 EDT 2010

Hi All,

The following two (2) rules in p2p.rules are false positives... Be aware of the RIAA

drop tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response"
 flow:established,from_server; content:"Server|3A| eMule";
 fast_pattern:only; metadata:policy security-ips drop;
 reference:url,www.emule-project.net; classtype:policy-violation;
 sid:2587; rev:4;)

drop udp $HOME_NET any -> $EXTERNAL_NET 41170
(msg:"P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|";
 depth:4; offset:16; metadata:policy security-ips drop;
 reference:url,openlito.sourceforge.net; reference:url,www.blubster.com;
 classtype:policy-violation; sid:3459; rev:5;)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100604/5676bfac/attachment.html>

More information about the Snort-users mailing list