Snort mailing list archives

Re: P2P GNUTella GET

From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Sat, 8 Mar 2003 09:33:40 -0600 (CST)

Unfortunately snort doesn't yet have a way to define a non-consecutive
series of ports using a variable.

1.  You could write a pass rule that would be processed before the alert
rules that ignored "GET " on port 8080 for 203.199.70.225.  This would
have the unpleasant side effect that you could not receive any alerts of
any other kind about this machine and this port for "GET " traffic and
this might not be what you want.

2.  You could change the rule to say !80:8080.  This would still alert on
ports under 80 and over 8080 but not the ports in between.

3.  You could change the web server running on port 8080 of 203.199.70.225
to run on port 80 instead.

Anyone have any other ideas?

Ken


On Sat, 8 Mar 2003, [iso-8859-1] Always Bishan wrote:

hi

I'm being troubled by this alert, its from
indiatimes.com and is flooding my database.

alert signature:P2P GNUTella GET
source=192.168.0.4:2109
dest=203.199.70.225:8080


this is invoked by the p2p.rules file containing the
rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET !80

(msg:"P2P >GNUTella GET"; flow:to_server,established;

content:"GET "; offset:0; depth:4;
classtype:misc-activity; sid:1432;  rev:3;)


i want to exclude 8080 port number alongwith 80 as
mentioned in the alert above

how do i tell the rule to ignore port 8080 alongwith
80?

Plzz do help out soon.

Regards,
Bishan

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

P2P GNUTella GET Always Bishan (Mar 08)
- Re: P2P GNUTella GET Erek Adams (Mar 08)
- Re: P2P GNUTella GET Kenneth G. Arnold (Mar 08)
- RE: P2P GNUTella GET Dave Thornburgh (Mar 10)
  - RE: P2P GNUTella GET Erek Adams (Mar 10)
  - RE: P2P GNUTella GET Always Bishan (Mar 10)