P2P rule not working

["Jimmy Hernandez" <jimmyh () provcom com>]

Hi,

 I was monitoring my alert file to see if the P2P rule was being
triggered by visiting the kazaa website or by launching the kazaa
program and nothing was triggered. All the other rules that I am
currently using are working just fine. I am particularly interested in
rule 1318

http://www.snort.org/snort-db/sid.html?id=1383

 

alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack
(kazaa/morpheus) GET request"; flow:to_server,established; content:"GET
"; depth:4; reference:url,www.musiccity.com/technology.htm;
reference:url,www.kazaa.com; classtype:protocol-command-decode;
sid:1383; rev:3;)

 

I do not see a warning or error when I run snort for the p2p.rules. But
there is no alert when I visit the site or even download a file. If
downloading I notice (with netstat) that the established port is 2816
and the TIME_WAIT is 1214. Any thoughts? Is anyone having the same
issue?

 

Thanks for all your help!!

 

r/s

Jimmy Hernandez

 

------------------------------------------------------- This SF.net
email is sponsored by: Etnus, makers of TotalView, The debugger for
complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major
UNIX and Linux platforms. Try it free. www.etnus.com
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users