Snort mailing list archives
P2P rule not working
From: "Jimmy Hernandez" <jimmyh () provcom com>
Date: Wed, 9 Apr 2003 14:56:56 -0700
Hi, I was monitoring my alert file to see if the P2P rule was being triggered by visiting the kazaa website or by launching the kazaa program and nothing was triggered. All the other rules that I am currently using are working just fine. I am particularly interested in rule 1318 http://www.snort.org/snort-db/sid.html?id=1383 alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com; classtype:protocol-command-decode; sid:1383; rev:3;) I do not see a warning or error when I run snort for the p2p.rules. But there is no alert when I visit the site or even download a file. If downloading I notice (with netstat) that the established port is 2816 and the TIME_WAIT is 1214. Any thoughts? Is anyone having the same issue? Thanks for all your help!! r/s Jimmy Hernandez ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
Current thread:
- P2P rule not working Jimmy Hernandez (Apr 09)
- Re: P2P rule not working Jeff (Apr 09)