Re: Gnutella

[Matt Kettler <mkettler () evi-inc com>]

It has absolutely nothing to do with gnutella. The rule is pretty wide open 
to false-positives and basically looks for "GET " sent at the start of a 
TCP frame to some port other than 80.

If you transfer a lot of email with the all-caps string GET them snort will 
eventually trigger the rule just by random chance of it being at the start 
of a segment.

p2p.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella 
GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; 
classtype:misc-activity;sid:1432;  rev:3;)


At 01:07 PM 4/3/2003 -0500, Keg wrote:
> I have a P2P Gnutella GET alarm generated for some requests from mail 
> servers to 11 addresses, to which it connects on port 25. It looks like a 
> legit traffic. Can anybody clarify what it as to with Gnutella?
> --



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users