Snort mailing list archives
Re: Newbie question on gnutella rule
From: "Josh Berry" <josh.berry () netschematics com>
Date: Sat, 13 Dec 2003 09:47:13 -0600 (CST)
Since you are using a proxy, all of you web clients are sending GET requests for web pages to the proxy server on port 8080. This rule will alrm if it seems any GET request going to any port except 80. Maybe you could create a port list of ports that you expect to see GET requests on, just add !8080 to what is already there (!80). I believe that you have to do this like: [!80,!8080]
I am having a problem with one of the Gnutella rules. It appears to be labeling all of the connections to my proxy server as gnutella hits (proxy uses port 8080). Please help me correct this since I definetly want to sniff for p2p traffic on my companies network. I am trying to understand why this rule is doing this and how to correct it. Thanks for any help, chris Snort rule 1432 (P2P GNUTella GET) alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- a couple of questions Giannakis Eleftherios (Dec 11)
- Re: a couple of questions Matt Kettler (Dec 11)
- Re: a couple of questions Giannakis Eleftherios (Dec 12)
- Newbie question on gnutella rule Chris Hoover (Dec 13)
- Re: Newbie question on gnutella rule Josh Berry (Dec 13)
- Re: Newbie question on gnutella rule Michael Boman (Dec 13)
- Re: a couple of questions Matt Kettler (Dec 11)
- <Possible follow-ups>
- RE: a couple of questions DeBerry, Casey (Dec 11)