Snort mailing list archives
Re: P2P GUNTella GET?
From: "Stevo" <checkpoint () ozbergs com>
Date: Tue, 5 Aug 2003 11:39:54 -0700
So how would I modify this line to exclude my Exchange server?? I'm a Snort newbie, so I'm still working these things out! alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GE T "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) Stevo ----- Original Message ----- From: "Gary Danko" <GDanko () proflowers com> To: "'Stevo'" <checkpoint () ozbergs com>; <snort-users () lists sourceforge net> Sent: Tuesday, August 05, 2003 10:04 AM Subject: RE: [Snort-users] P2P GUNTella GET?
I get a lot of these too. Mine are mostly false positives. I have modified the rule to exlcude the servers that are sending false pos. -----Original Message----- From: Stevo [mailto:checkpoint () ozbergs com] Sent: Tuesday, August 05, 2003 9:45 AM To: snort-users () lists sourceforge net Subject: [Snort-users] P2P GUNTella GET? Hey Snort Gurus, I'm getting a bunch of these P2P GUNTella GET events in ACID which is
cool,
but the source address is always my Exchange Server (x.x.x.15) and the destination is always the same (198.116.65.48 port 25)... what is causing this?? Is this something I should be worries about??? Below is the event from Acid: #15-(1-16307) [snort] P2P GNUTella GET 2003-08-05 08:31:52 x.x.x.15:37897 198.116.65.48:25 TCP Thanks Stevo ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- P2P GUNTella GET? Stevo (Aug 05)
- <Possible follow-ups>
- RE: P2P GUNTella GET? Gary Danko (Aug 05)
- Re: P2P GUNTella GET? Stevo (Aug 05)
- Re: P2P GUNTella GET? Stevo (Aug 05)
- Re: P2P GUNTella GET? Erek Adams (Aug 06)
- RE: P2P GUNTella GET? Gary Danko (Aug 05)
- P2P GUNTella GET? Steve Berg (Aug 05)