Snort mailing list archives
Re: Gnutella
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 03 Apr 2003 14:48:09 -0500
It has absolutely nothing to do with gnutella. The rule is pretty wide open to false-positives and basically looks for "GET " sent at the start of a TCP frame to some port other than 80.
If you transfer a lot of email with the all-caps string GET them snort will eventually trigger the rule just by random chance of it being at the start of a segment.
p2p.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:misc-activity;sid:1432; rev:3;)
At 01:07 PM 4/3/2003 -0500, Keg wrote:
I have a P2P Gnutella GET alarm generated for some requests from mail servers to 11 addresses, to which it connects on port 25. It looks like a legit traffic. Can anybody clarify what it as to with Gnutella?--
-------------------------------------------------------This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Gnutella Keg (Apr 03)
- Re: Gnutella Matt Kettler (Apr 03)
- <Possible follow-ups>
- RE: Gnutella Bob Dehnhardt (Apr 03)