Re: [Snort-sigs] P2P GNUTella GET causes lots of false positives

["jon baer" <security () jonbaer net>]

I had to change it to "GET /uri-res/" (|47 45 54 20 2f 75 72 69 2d 72 65 73
2f|) to monitor correctly ...

- Jon

----- Original Message -----
From: "Shane Smith" <shane () crownbank com>
To: <snort-sigs () lists sourceforge net>
Sent: Thursday, September 04, 2003 3:29 PM
Subject: [Snort-sigs] P2P GNUTella GET causes lots of false positives


> Hey Folks,
>
> I'm new to snort, so sorry if this has been covered recently.  SID 1432
> regarding p2p networks seems weird to me.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
>
> If I am reading this correctly, than any packet containing "GET" headed
out
> of my network, destined for any port other than 80 will trigger this rule.
>
> Won't this cause a false positive with every HTTP GET request to any
> external server with non-standard ports?
>
> For example:
> http://www.nhc.rtp.nc.us:8080/
>
> Simply hitting that URL, causes the rule to fire.
>
> Thanks folks,
> Shane
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users