Snort mailing list archives

RE: P2P GNUTella GET

From: "Dave Thornburgh" <dthorn () myrealbox com>
Date: Mon, 10 Mar 2003 09:45:12 -0800

-----Original Message-----
Sent: Saturday, March 08, 2003 4:51 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] P2P GNUTella GET


hi

I'm being troubled by this alert, its from
indiatimes.com and is flooding my database.

alert signature:P2P GNUTella GET
source=192.168.0.4:2109
dest=203.199.70.225:8080



I'm a little confused by Ken and Erek's responses.  I thought that
this rule is triggered by Gnutella traffic FROM Bishan's network TO an
external host.  In that case, the rule is to alert him that one of his
users is attempting to run Gnutella.  If I'm reading that right, then
what would be the point of blinding the rule to 8080 traffic?  At that
point, he may as well just comment out the rule altogether.  Am I
reading this whole thing wrong?

Dave




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

P2P GNUTella GET Always Bishan (Mar 08)
- Re: P2P GNUTella GET Erek Adams (Mar 08)
- Re: P2P GNUTella GET Kenneth G. Arnold (Mar 08)
- RE: P2P GNUTella GET Dave Thornburgh (Mar 10)
  - RE: P2P GNUTella GET Erek Adams (Mar 10)
  - RE: P2P GNUTella GET Always Bishan (Mar 10)